Description
Restrict invitations to users with specific administrative roles only.
Rationaleβ
Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data.
By default the setting Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.
Impactβ
With the option of Only users assigned to specific admin roles can invite guest users selected, users with specific admin roles will be in charge of sending invitations to the external users, requiring additional overhead by them to manage user accounts. This will mean coordinating with other departments as they are onboarding new users.
Auditβ
This policy marks an Azure Active Directory as INCOMPLIANT if the related Active Directory Auth Policy has Invites From State set to either:
- everyone, or
- adminsGuestInvitersAndAllMembers.
Default Valueβ
By default, Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins.
Referencesβ
- https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements