Guest Account With a Privileged Role

B2B collaboration is a Microsoft Entra ID feature that allows your users to invite guests to collaborate with your organization. These guest accounts, also called "external identities", by default get access as described by Microsoft:

They can manage their own profile, change their own password, and retrieve certain information about other users, groups, and applications. However, they cannot read all directory information. For example, guest users cannot enumerate the list of all users, groups, and other directory objects. It is possible to add guests to administrator roles, granting them full read and write permissions. Guests can also invite other guests.

Privileged roles have elevated privileges by definition. Guest accounts having a privileged role assigned to them pose a security risk and significantly increase the attack surface of the tenant. This is particularly concerning as guest accounts may have weaker security policies applied to them, making them more susceptible to compromise. Additionally, the assignment of privileged roles to guest users introduces lower traceability, making it challenging to monitor and audit their activities. In the worst-case scenario, such assignments may even indicate a compromise, as threat actors often exploit guest accounts to gain unauthorized access and move laterally within the environment.

Monitor these guest accounts carefully and ensure that you don't assign privileged roles them.

To prevent exposing your tenant beyond your organization, revoke or unassign any privileged roles from guest accounts.

Name: Guest Account With a Privileged Role

Codename: GUEST-ACCOUNT-WITH-A-PRIVILEGED-ROLE

Severity: High