9.1.2 Ensure external user invitations are restricted

Information

This setting helps organizations choose whether new external users can be invited to the organization through Power BI sharing, permissions, and subscription experiences. This setting only controls the ability to invite through Power BI.

The recommended state is Enabled for a subset of the organization or Disabled.

Note: To invite external users to the organization, the user must also have the Microsoft Entra Guest Inviter role.

Rationale:

Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization.

Impact:

Guest user invitations will be limited to only specific employees.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Restrict external user invitations:

Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal

Select Tenant settings.

Scroll to Export and Sharing settings.

Set Users can invite guest users to collaborate through item sharing and permissions to one of these states:

State 1: Disabled

State 2: Enabled with Specific security groups selected and defined.

Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled.

Default Value:

Enabled for the entire organization

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4)

Plugin: microsoft_azure

Control ID: b6073258288eb38ed3e19e1b9624a76398b7e544903b96ec2866a088510a0a7e