Description:
The 'Guest users access restrictions' setting in Microsoft Entra ID (formerly Azure Active Directory) controls what guest users can access within your directory. By setting this to 'Guest user access is restricted to properties and memberships of their own directory objects', you restrict guest users to only the properties and membership details of the objects they directly belong to, such as groups, roles, or other directory objects. This setting prevents guest users from accessing other users' information or sensitive data that they do not have explicit access to.
Enabling this setting ensures that external users (guests) are limited in their ability to view or interact with resources that they are not specifically associated with, improving data security and minimizing the risk of unnecessary exposure of directory information.
Rationale:
By restricting guest users' access:
Enhance security: Prevents unauthorized access by guest users to sensitive user information, protecting internal resources.
Limit data exposure: Ensures that guest users can only see the information relevant to them, reducing the risk of information leakage or inappropriate access.
Comply with security best practices: Adopting this restriction aligns with security frameworks that advocate for limiting guest users' access to only the necessary resources.
Impact:
Increased security by limiting the data guest users can access to only what is necessary.
Reduced flexibility for guest users as they will have restricted access, but the benefits of tighter control outweigh this minor inconvenience.
Improved governance by ensuring that guest users cannot inadvertently or maliciously access non-relevant data.
Default Value:
By default, Microsoft Entra ID allows guest users to access a broader range of information within the directory. This setting needs to be manually configured to restrict guest access as described.
Pre-requisites:
Azure subscription with Microsoft Entra ID (Azure AD) configured.
Global Administrator or Privileged Role Administrator permissions to configure guest access settings.
Guest user accounts must be properly set up in the directory.
Audit:
Sign in to Azure portal as a Global Administrator or Privileged Role Administrator.
Navigate to Microsoft Entra ID > External Identities > External collaboration settings.
Ensure that 'Guest user access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'.
Implementation Steps (Automated):
Sign in to Azure portal:
Use an account with Global Administrator or Privileged Role Administrator permissions.
Navigate to Microsoft Entra ID (Azure AD):
In the Azure portal, go to Azure Active Directory.
Go to External Identities:
Under Manage, select External Identities > External collaboration settings.
Modify Guest User Access Restrictions:
In the External collaboration settings, locate the setting for 'Guest users access restrictions'.
Set the option to 'Guest user access is restricted to properties and memberships of their own directory objects'.
Save the Configuration:
After setting the option, click Save to apply the changes.
Verify the Setting:
After saving, verify that guest users are restricted to accessing only their own directory objects. Test this by logging in as a guest user and attempting to access another user's information. The access should be denied.
Monitor Guest User Access:
Use Azure AD logs to monitor guest users' activities and ensure they are not accessing unauthorized information. Set up alerts in Azure Monitor for any anomalies or unauthorized access attempts by guest users.
Communicate to Users:
Inform guest users that they now have restricted access to only the information relevant to their specific role or membership in the organization, and that they cannot view other users' directory objects.
Backout Plan (Automated):
Sign in to Azure portal:
Use an account with Global Administrator or Privileged Role Administrator permissions.
Navigate to Microsoft Entra ID (Azure AD):
Go to Azure Active Directory > External Identities > External collaboration settings.
Revert the Guest User Access Restrictions:
In the External collaboration settings, change the 'Guest user access restrictions' setting back to a less restrictive option, such as 'Guest user access is not restricted'.
Save the Configuration:
Click Save to apply the changes and revert to the previous access settings.
Test the Reverted Configuration:
Perform a test by logging in as a guest user and verifying that they now have access to a broader range of directory objects, depending on the permissions.