Description:
Guest users in Microsoft Entra ID (formerly Azure Active Directory) are users who are not part of your organization's directory but are granted access to your resources. These users could be external partners, contractors, or collaborators who need access to your organization's data and services. However, maintaining a regular review of guest user access is essential to ensuring that only necessary external users have access to your resources.
Regularly reviewing guest users ensures that outdated or unnecessary accounts are removed, reducing the risk of unauthorized access and minimizing your organization's attack surface.
Rationale:
Regularly reviewing guest users helps:
Improve security by ensuring that only current, authorized users have access to your resources.
Reduce access risks by removing unnecessary or outdated guest accounts, especially when projects are completed, or contracts expire.
Maintain compliance with organizational policies or regulatory standards, which often require periodic reviews of user access to systems and data.
Enforce the principle of least privilege, ensuring that external users only have access to the data and services they need for their specific roles.
Impact:
Increased security by reducing the number of active guest users and ensuring that only those who need ongoing access are retained.
The process will require an effort to review and remove guest users periodically.
There may be operational disruptions if access is removed for guest users who still require it; however, this can be mitigated by ensuring that the review process involves communication with business owners or project managers.
Default Value:
By default, guest users can remain active until manually removed or deactivated by administrators. Azure does not automatically enforce periodic reviews of guest accounts.
Pre-requisites:
Azure subscription with Microsoft Entra ID (Azure AD) configured.
Global Administrator or User Administrator role permissions to review and remove guest users.
A process in place for identifying the need for guest user access to remain, such as coordination with project owners or managers.
Audit:
Sign in to Azure portal as a Global Administrator or User Administrator.
Navigate to Microsoft Entra ID (Azure AD) > Users.
Review guest user accounts to verify that all external users are still necessary for the organization's activities.
Implementation Steps (Manual):
Sign in to Azure portal:
Use an account with Global Administrator or User Administrator permissions.
Navigate to Microsoft Entra ID (Azure AD):
In the Azure portal, go to Azure Active Directory.
Review Guest User Accounts:
In the Azure AD pane, select Users under Manage.
Use the User type filter to display Guest users. You can also create a custom query in Azure AD to filter for guest users.
Set a Review Process:
Define a regular cadence for reviewing guest users. This could be quarterly, bi-annually, or according to your organization’s policies.Communicate with relevant stakeholders (e.g., project owners, managers, or business units) to confirm whether the external users still need access.
Review Guest User Access:
Review each guest user’s access to ensure it is still necessary for their work. If the guest user's project or contract has ended, remove their access.
For each guest user, verify their assigned roles and access permissions within the organization.
Remove Unnecessary Guest Users:
For any guest user who no longer requires access, click on the user and select Delete to remove them from the organization.
Alternatively, you can also disable guest users if you wish to preserve their data but remove their access.
Set Retention Policies (Optional):
If desired, set up access review policies in Microsoft Entra ID for guest users to be reviewed automatically every 30/60/90 days. This ensures ongoing compliance with the review process.
Navigate to Azure Active Directory > Identity Governance > Access Reviews, and configure access reviews for guest users.
Verify and Document Review Process:
After the review, ensure that the process is well documented and that any guest user removals or changes are logged in Azure AD Audit logs.
Communicate the outcome of the review to relevant teams to ensure alignment on guest user access policies.
Automate the Review Process (Optional): You can automate the review process using Azure AD Access Reviews. Here's how:
Navigate to Identity Governance > Access Reviews.
Select + New access review.
Set the scope of the review to target guest users and define the review frequency (e.g., every 30 days).
Choose the reviewers (e.g., managers, project leads, or IT admins) who will approve or deny access.
Configure the review policy to ensure that expired or unnecessary access is revoked.
Backout Plan (Manual):
Sign in to Azure portal:
Use an account with Global Administrator or User Administrator permissions.
Navigate to Microsoft Entra ID (Azure AD):
Go to Azure Active Directory in the Azure portal.
Re-enable Deleted Guest Users (if necessary):
If guest users were removed during the review process and you need to reinstate them, you can restore deleted guest users.
Navigate to Users > Deleted users, and restore the required guest users.
Reassign Roles and Permissions:
If necessary, reassign roles and permissions that were previously revoked during the review process. Ensure that the user has appropriate access to perform their job.
Verify the Reversion:
Confirm that all necessary guest users are restored and have access to the relevant resources and permissions.
Test the Reverted Configuration:
Test by logging in as a restored guest user to confirm they have the necessary access to the resources they require.