7.2.2 Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled

Information

Entra ID B2B provides authentication and management of guests. Authentication happens via one-time passcode when they don't already have a work or school account or a Microsoft account. Integration with SharePoint and OneDrive allows for more granular control of how guest user accounts are managed in the organization's AAD, unifying a similar guest experience already deployed in other Microsoft 365 services such as Teams.

Note: Global Reader role currently can't access SharePoint using PowerShell.

Rationale:

External users assigned guest accounts will be subject to Entra ID access policies, such as multi-factor authentication. This provides a way to manage guest identities and control access to SharePoint and OneDrive resources. Without this integration, files can be shared without account registration, making it more challenging to audit and manage who has access to the organization's data.

Impact:

B2B collaboration is used with other Entra services so should not be new or unusual. Microsoft also has made the experience seamless when turning on integration on SharePoint sites that already have active files shared with guest users. The referenced Microsoft article on the subject has more details on this.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using PowerShell:

Connect to SharePoint Online using Connect-SPOService

Run the following command:

Set-SPOTenant -EnableAzureADB2BIntegration $true

Default Value:

False

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2

Plugin: microsoft_azure

Control ID: b57244072aadf24e923d0cb681556f88f16778d3e210f7892882264230bf63ee