Description
Microsoft Entra ID has native and extended identity functionality allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities.
Rationaleβ
Guest users are typically added outside your employee on-boarding/off-boarding process and could potentially be overlooked indefinitely. To prevent this, guest users should be reviewed on a regular basis. During this audit, guest users should also be determined to not have administrative privileges.
Impactβ
Before removing guest users, determine their use and scope. Like removing any user, there may be unforeseen consequences to systems if an account is removed without careful consideration.
Auditβ
From Azure Portalβ
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID. - Under
Manage, selectUsers. - Click on
Add filter. - Select
User type. - Select
Guestfrom theValuedropdown. - Click
Apply. - Audit the listed guest users.
From Azure CLIβ
az ad user list --query "[?userType=='Guest']"
Ensure all users listed are still required and not inactive.
From Azure PowerShellβ
Get-AzureADUser |Where-Object {$_.UserType -like "Guest"} |Select-Object DisplayName, UserPrincipalName, UserType -Unique
From Azure Policyβ
If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.
- Policy ID: e9ac8f8e-ce22-4355-8f04-99b911d6be52 - Name:
Guest accounts with read permissions on Azure resources should be removed - Policy ID: 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 - Name:
Guest accounts with write permissions on Azure resources should be removed - Policy ID: 339353f6-2387-4a45-abe4-7f529d121046 - Name:
Guest accounts with owner permissions on Azure resources should be removed
Default Valueβ
By default no guest users are created.
Referencesβ
- https://learn.microsoft.com/en-us/entra/external-id/user-properties
- https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-delete-users#delete-a-user
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-4-review-and-reconcile-user-access-regularly
- https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-manage-inactive-user-accounts
- https://learn.microsoft.com/en-us/entra/fundamentals/users-restore
Additional Informationβ
It is good practice to use a dynamic security group to manage guest users.
To create the dynamic security group:
- Navigate to the 'Microsoft Entra ID' blade in the Azure Portal
- Select the 'Groups' item
- Create new
- Type of 'dynamic'
- Use the following dynamic selection rule. "(user.userType -eq "Guest")"
- Once the group has been created, select access reviews option and create a new access review with a period of monthly and send to relevant administrators for review.