Detections
Analytics

5.1.6.2 (L1) Ensure that guest user access is restricted

Information

Microsoft Entra ID, part of Microsoft Entra, allows you to restrict what external guest users can see in their organization in Microsoft Entra ID. Guest users are set to a limited permission level by default in Microsoft Entra ID, while the default for member users is the full set of user permissions.

These directory level permissions are enforced across Microsoft Entra services including Microsoft Graph, PowerShell v2, the Azure portal, and My Apps portal. Microsoft 365 services leveraging Microsoft 365 groups for collaboration scenarios are also affected, specifically Outlook, Microsoft Teams, and SharePoint. They do not override the SharePoint or Microsoft Teams guest settings.

The recommended state is at least Guest users have limited access to properties and memberships of directory objects or more restrictive.

By limiting guest access to the

most restrictive

state this helps prevent malicious group and user object enumeration in the Microsoft 365 environment. This first step, known as

reconnaissance

in The Cyber Kill Chain, is often conducted by attackers prior to more advanced targeted attacks.

Solution

To remediate using the UI:

 - Navigate to Microsoft Entra admin center

https://entra.microsoft.com/

.
 - Click to expand Identity > External Identities select External collaboration settings
 - Under Guest user access set Guest user access restrictions to one of the following:
 - State: Guest users have limited access to properties and memberships of directory objects
 - State: Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)

To remediate using PowerShell:

 - Connect to Microsoft Graph using Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"
 - Run the following command to set the guest user access restrictions to default:

# Guest users have limited access to properties and memberships of directory objects
Update-MgPolicyAuthorizationPolicy -GuestUserRoleId '10dae51f-b6af-4016-8d66-8c2a99b929b3' <xhtml:ol start="3"> - Or, run the following command to set it to the "most restrictive":

# Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)
Update-MgPolicyAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'

Note: Either setting allows for a passing state.

Impact:

The default is Guest users have limited access to properties and memberships of directory objects

When using the 'most restrictive' setting, guests will only be able to access their own profiles and will not be allowed to see other users' profiles, groups, or group memberships.

There are some known issues with Yammer that will prevent guests that are signed in from leaving the group.

See Also

https://workbench.cisecurity.org/benchmarks/17682

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-1, 800-53|AC-2, 800-53|IA-4, 800-53|IA-5

Plugin: microsoft_azure

Control ID: cddc9978c1404a2e5a9c0ae798af3c67c0e29b56cbda4d0df6776bbb1911ab3a