Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Guest User Permissions Are Limited

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ActiveDirectory-012

Ensure that "Guest user permissions are limited" safety feature is enabled within your Microsoft Entra ID settings in order to implement the principle of least privilege and enhance the access security to your Microsoft Entra ID account. The principle of least privilege represents the practice of providing every user the minimal amount of access required to perform successfully its tasks.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

When "Guest user permissions are limited" feature is disabled, guests have the same access to your Microsoft Entra ID data that regular users have in your directory. By enabling the feature (i.e. limiting guest access) you have the guarantee that guest accounts do not have permission for certain Microsoft Entra ID tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles within your Microsoft Entra ID account.


Audit

To determine if user permissions for Microsoft Entra ID guest users are limited, perform the following actions:

Note: Obtaining "Guest users permissions are limited" Microsoft Entra ID setting status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user settings.

05 On the User settings configuration page, under External users, click Manage external collaboration settings.

06 On the Manage external collaboration settings page, verify the Guest users permissions are limited setting configuration. If the option is set to No, the Microsoft Entra ID guest users permissions are limited, thus the Microsoft Entra ID user configuration is not compliant.

07 Repeat steps no. 3 – 6 for each Microsoft Entra ID that you want to examine.

Remediation / Resolution

To implement the principle of least privilege within your Microsoft Entra ID account and set "Guest users permissions are limited" to "Yes", perform the following actions:

Note: Configuring Microsoft Entra ID external collaboration settings in order to limit guest users' permissions using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user settings.

05 On the User settings configuration page, under External users, click Manage external collaboration settings.

06 On Manage external collaboration settings page, select Yes under Guest users permissions are limited to limit Microsoft Entra ID guest users permissions so these users receive the same access to Microsoft Entra ID data that regular users have in your directory.

07 Click Save to apply the configuration changes. If the request is successful, the following message should be displayed: "Successfully saved invitation policy". Once the changes are saved, the guest users should not have permissions anymore for certain Microsoft Entra ID tasks, such as enumerate users, groups, or other directory resources.

08 Repeat steps no. 3 – 7 for each Microsoft Entra ID that you want to reconfigure in order to limit guest user permissions.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Guest User Permissions Are Limited

Risk Level: High