Description:
Azure AD allows you to restrict what external guest users can see in your Azure AD directory. By default, guest users are set to a limited permission level that blocks them from enumerating users, groups, or other directory resources, but lets them see membership of non-hidden groups.
Restricting guest invite role to administrators only.
Rationale:
Restricting invitations to administrators ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data.
Impact:
Restricting the Invitation permission to only admins eliminates the risk of unwanted users into the directory this improves the resiliency.
Default Value:
By default, users and guests in your directory can invite guests even if they're not assigned to an admin role.
Audit:
Sign into your Azure account
From the console go to Azure Active Directory.
Go to External Identities
Go to External collaboration settings.
Check the Guest invite settings
(In this scenario as default the guest invite role is given to all including guests and non-admins)
Remediation:
Prerequisites:
An Azure account.
An Azure AD tenant associated with the subscription.
Implementation:
Go to Azure Active Directory
Go to External Identities
Go to External collaboration settings
Choose the Only users assigned to specific admin roles can invite guest users option.
Backout Plan:
Go to Azure Active Directory
Go to External Identities
Go to External collaboration settings
Select Anyone in the organization can invite guest users including guests and non-admins (to revoke the changes to default).
Via CLI:
The following command assigns the Guest Inviter role to a user without assigning them a global administrator or other admin roles. Then make sure you set Admins and users in the guest inviter role can invite is chosen.
Add-MsolRoleMember
-RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b
-RoleMemberEmailAddress <RoleMemberEmailAddress>
Note:
If Members can invite is set to No and Admins and users in the guest inviter role can invite is set to Yes, users in the Guest Inviter role will still be able to invite guests.