Description:
Limit guest user permissions.
Rationale:
Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. If guest access in not limited, they have the same access to directory data as regular users.
Default Value:
By default, Guest users permissions are limited is set to Yes.
Audit:
Go to Azure Active Directory
Go to External Identities
Go to External collaboration settings
Ensure that Guest users permissions are limited is set to Yes
Remediation:
Pre-Requisite:
A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.
An account with global administrator privileges.
Implementation Steps:
Go to Azure Active Directory
Go to External Identities
Go to External collaboration settings
Set Guest users permissions are limited
Backout Plan:
Go to Azure Active Directory
Go to External Identities
Go to External collaboration settings
Ensure that Guest users permissions are limited to Yes(how we can revoke the changes)
Note:
Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.