Guest Accounts with Equal Access to Normal Accounts

B2B collaboration is a Microsoft Entra ID feature that allows your users to invite guests to collaborate with your organization. These guest users, also called "external identities", by default get access as described by Microsoft:

They can manage their own profile, change their own password, and retrieve certain information about other users, groups, and applications. However, they cannot read all directory information. For example, guest users cannot enumerate the list of all users, groups, and other directory objects. It is possible to add guests to administrator roles, granting them full read and write permissions. Guests can also invite other guests.

Hence, by default, the guests have restricted visibility within their inviting tenant. Nevertheless, there exists a setting to give to guest users even more permissions called "Guest users have the same access as members (most inclusive)" that has the following impact:

Grants all member user permissions to guest users by default.

Enabling this setting raises security risks by making it easier for external guests, including potential attackers, to gather information about users, groups, and other assets, increasing the threat of compromise and data exposure for the tenant.

To limit guest users' visibility within your tenant, you must configure guest user access restrictions in Entra ID. At the very least, you can revert to the default setting: "Guest users have limited access to properties and memberships of directory objects." Alternatively, you can choose a stricter option with the setting "Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)."

Bear in mind that this may make collaboration with external users more difficult.

Name: Guest Accounts with Equal Access to Normal Accounts

Codename: GUEST-ACCOUNTS-WITH-EQUAL-ACCESS-TO-NORMAL-ACCOUNTS

Severity: High