Description:

Azure AD allows you to restrict what external guest users can see in your Azure AD directory. By default, guest users are set to a limited permission level that blocks them from enumerating users, groups, or other directory resources, but lets them see membership of non-hidden groups.

Restricting guest invite role to administrators only.


Rationale:

Restricting invitations to administrators ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data.


Impact:

Restricting the Invitation permission to only admins eliminates the risk of unwanted users into the directory this improves the resiliency.


Default Value:

By default, users and guests in your directory can invite guests even if they're not assigned to an admin role.


Audit:

  1. Sign into your Azure account

  2. From the console go to Azure Active Directory.

  3. Go to External Identities

  4.  Go to External collaboration settings.

  5. Check the Guest invite settings
    (In this scenario as default the guest invite role is given to all including guests and non-admins)


Remediation:

Prerequisites:

  1. An Azure account.

  2. An Azure AD tenant associated with the subscription.


Implementation:

  1. Go to Azure Active Directory

  2. Go to External Identities

  3. Go to External collaboration settings

  4. Choose the Only users assigned to specific admin roles can invite guest users option.


Backout Plan:

  1. Go to Azure Active Directory

  2. Go to External Identities

  3. Go to External collaboration settings

  4. Select Anyone in the organization can invite guest users including guests and non-admins (to revoke the changes to default).


Via CLI:

The following command assigns the Guest Inviter role to a user without assigning them a global administrator or other admin roles. Then make sure you set Admins and users in the guest inviter role can invite is chosen.

Add-MsolRoleMember 

-RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b 

-RoleMemberEmailAddress <RoleMemberEmailAddress>


Note:

If Members can invite is set to No and Admins and users in the guest inviter role can invite is set to Yes, users in the Guest Inviter role will still be able to invite guests.

 

Reference: