Unrestricted Guest Accounts

B2B collaboration is a Microsoft Entra ID feature that allows your users to invite guests to collaborate with your organization. These guest users, also called "external identities", by default get access as described by Microsoft:

They can manage their own profile, change their own password, and retrieve certain information about other users, groups, and applications. However, they cannot read all directory information. For example, guest users cannot enumerate the list of all users, groups, and other directory objects. It is possible to add guests to administrator roles, granting them full read and write permissions. Guests can also invite other guests.

If your organization places a high premium on security and privacy when it comes to guest users, you can enhance these aspects by adjusting the default setting by selecting the "Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)" option that has the following impact:

By default, this setting limits guest access exclusively to their own user profile. This means that even when searching by user principal name, object ID, or display name, guests cannot obtain access to other users. Furthermore, this configuration also restricts access to group information, including group memberships.

To restrict the visibility of guest users within your tenant, you must restrict guest user access in Entra ID by selecting this option: "Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)".

Bear in mind that this may make collaboration with external users more difficult.

Name: Unrestricted Guest Accounts

Codename: UNRESTRICTED-GUEST-ACCOUNTS

Severity: Medium