MS.AAD.8.3v1 - Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.

Information

Limiting which domains can be invited to create guest accounts in the tenant helps reduce the risk of users from unauthorized external organizations getting access.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. In Microsoft Entra admin center select External Identities > External collaboration settings.

2. Under Collaboration restrictions, select Allow invitations only to the specified domains (most restrictive).

3. Select Target domains and enter the names of the external domains authorized by the agency for guest user access.

4. Click Save.

See Also

https://github.com/cisagov/ScubaGear/tree/v1.5.0/

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-2, 800-53|AC-5, 800-53|AC-6, 800-53|CA-7, 800-53|SA-3, 800-53|SA-4, 800-53|SA-8, 800-53|SA-10, 800-53|SA-11, 800-53|SA-15, 800-53|SA-16, 800-53|SA-17, 800-53|SC-28, 800-53|SI-4

Plugin: microsoft_azure

Control ID: c7127fbf56ead22be29c1f5aa6ef0a428e1c8a9ff588411b26c41a2dc2a37af0