Description:
Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization while maintaining control over your own corporate data.
Rationale:
Guest users in the Azure AD are generally required for collaboration purposes in Office 365, and may also be required for Azure functions in enterprises with multiple Azure tenants, Guest users should be reviewed on a regular basis, at least annually, Guest users should not be granted administrative roles where possible.
Impact:
Until you have a business needs to provide guest access to any user, avoid creating guest users. If guest accounts are being used, they should be removed when no longer required.
Audit:
Go to Azure Active Directory
Go to Users and group
Go to All Users
Click on Add filters, select User type, then click on Apply
Click on User type, select Guest users, then click on Apply
- Ensure that guest users listed are still required (USER TYPE = Guest)
Using Azure Command-Line Interface 2.0
az ad user list --query "[?userType=='Guest']"
Ensure all users listed are not inactive and still required.
Using PowerShell
Connect-AzureAD (Only needs to be performed once within the PowerShell session)
Get-AzureADUser |Where-Object {$_.UserType -like "Guest"} |Select-Object DisplayName, UserPrincipalName, UserType -Unique
Remediation:
Pre-Requisite:
A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.
An account with global administrator privileges.
Implementation:
Go to Azure Active Directory
Go to Users and group
Go to All Users
Click on Add filters, select User type, then click on Apply
Click on User type, select Guest users, then click on Apply
Select the Guest user which is no longer required and then click on Delete User
Backout Plan:
After deleting Guest users we can’t restore them back but we can add a New Guest user to an organization and also Invite a new guest user to collaborate with the organization.