Description:

Limit guest user permissions.


Rationale:

Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. If guest access in not limited, they have the same access to directory data as regular users.


Default Value:

By default, Guest users permissions are limited is set to Yes.


Audit:

  1. Go to Azure Active Directory

  2. Go to External Identities

  3. Go to External collaboration settings

  4. Ensure that Guest users permissions are limited is set to Yes

Remediation:

Pre-Requisite:

  1. A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.

  2. An account with global administrator privileges.

Implementation Steps:

  1. Go to Azure Active Directory

  2. Go to External Identities

  3. Go to External collaboration settings

  4. Set Guest users permissions are limited

Backout Plan:

  1. Go to Azure Active Directory

  2. Go to External Identities

  3. Go to External collaboration settings

  4. Ensure that Guest users permissions are limited to Yes(how we can revoke the changes)

Note:

Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users- default-permissions#member-and-guest-users

  2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-privileged-access#pa-5-automate-entitlement-management

  3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy