Description
Microsoft Entra ID has native and extended identity functionality allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities.
Rationale
Guest users are typically added outside your employee on-boarding/off-boarding process and could potentially be overlooked indefinitely. To prevent this, guest users should be reviewed on a regular basis. During this audit, guest users should also be determined to not have administrative privileges.
Impact
Before removing guest users, determine their use and scope. Like removing any user, there may be unforeseen consequences to systems if an account is removed without careful consideration.
Audit
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID. - Under
Manage, selectUsers. - Click on
Add filter. - Select
User type. - Select
Guestfrom theValuedropdown. - Click
Apply. - Audit the listed guest users.
From Azure CLI
az ad user list --query "[?userType=='Guest']"
Ensure all users listed are still required and not inactive.
From Azure PowerShell
Get-AzureADUser |Where-Object {$_.UserType -like "Guest"} |Select-Object DisplayName, UserPrincipalName, UserType -Unique
From Azure Policy
If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.
- Policy ID: e9ac8f8e-ce22-4355-8f04-99b911d6be52 - Name:
Guest accounts with read permissions on Azure resources should be removed - Policy ID: 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 - Name:
Guest accounts with write permissions on Azure resources should be removed - Policy ID: 339353f6-2387-4a45-abe4-7f529d121046 - Name:
Guest accounts with owner permissions on Azure resources should be removed
Default Value
By default no guest users are created.
References
- https://learn.microsoft.com/en-us/entra/external-id/user-properties
- https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-delete-users#delete-a-user
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-4-review-and-reconcile-user-access-regularly
- https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-manage-inactive-user-accounts
- https://learn.microsoft.com/en-us/entra/fundamentals/users-restore
Additional Information
It is good practice to use a dynamic security group to manage guest users.
To create the dynamic security group:
- Navigate to the 'Microsoft Entra ID' blade in the Azure Portal
- Select the 'Groups' item
- Create new
- Type of 'dynamic'
- Use the following dynamic selection rule. "(user.userType -eq "Guest")"
- Once the group has been created, select access reviews option and create a new access review with a period of monthly and send to relevant administrators for review.