2.12 Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled

Information

Azure AD B2B provides authentication and management of guests. Authentication happens via one-time passcode when they don't already have a work or school account or a Microsoft account. Integration with SharePoint and OneDrive allows for more granular control of how guest user accounts are managed in the organization's AAD, unifying a similar guest experience already deployed in other Microsoft 365 services such as Teams.

Rationale:

External users assigned guest accounts will be subject to Azure AD access policies, such as multi-factor authentication. This provides a way to manage guest identities and control access to SharePoint and OneDrive resources. Without this integration, files can be shared without account registration, making it more challenging to audit and manage who has access to the organization's data.

Impact:

Azure B2B collaboration is used with other Azure services so should not be new or unusual. Microsoft also has made the experience seamless when turning on integration on SharePoint sites that already have active files shared with guest users. The referenced Microsoft article on the subject has more details on this.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To enable Azure AD B2B integration using PowerShell:

Connect to SharePoint Online using Connect-SPOService -Url https://tenant-admin.sharepoint.com, replacing 'tenant' with the appropriate value.

Run the following command:

Set-SPOTenant -EnableAzureADB2BIntegration $true

Run the audit steps to ensure the value is now True.

See Also

https://workbench.cisecurity.org/benchmarks/10751

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-2, 800-53|IA-2

Plugin: microsoft_azure

Control ID: 75c65832d8220b9df33dea1107a279154239a65bccb7c354cad13fca56d96fc3