Logo of Trend Micro

Check for Active Directory Guest Users

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: ActiveDirectory-003

For a Microsoft Azure business-to-business (B2B) collaboration, each Active Directory (AD) guest user needs to be associated with a business owner or business process. When there is no need for B2B collaboration, ensure that there are no AD guest users available within your Microsoft Azure account.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

An Active Directory business-to-business (B2B) collaboration is used to securely share your applications and services with guest users and external partners from other organizations, while maintaining full control over your own data. Azure AD is configured to handle B2B collaborations, allowing you to invite people from outside your organization to be guest users within your Azure cloud account. Unless you have a real business need that requires to provide guest access to external users, avoid creating such guest users. Active Directory guest users are usually added outside the employee onboarding/offboarding process managed by your company and this can eventually lead to potential security vulnerabilities.

Audit

To determine if there are any Active Directory guest users available in your Azure account, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at Azure Portal.

03 In the navigation panel, select Users to list all Active Directory users.

04 Select Guest users only from Show dropdown menu to return the guest users available (if any). If one or more users are listed, there are Active Directory guest users created within your Azure account, thus your Active Directory user configuration is not compliant.

05 Repeat step no. 3 and 4 for each Active Directory (AD) available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run ad user list command (Windows/macOS/Linux) using query filters to list all Azure Active Directory (AD) guest users: 

az ad user list
   --query "[?userType=='Guest']"

02 The command output should return the configuration metadata for each Active Directory guest user currently available in your Azure account (if any): 

[
  {
    "accountEnabled": true,
    "createdDateTime": "2019-05-01T10:47:42Z",
    "creationType": "Invitation",
    "employeeId": null,
    "jobTitle": null,
    "lastDirSyncTime": null,
    "legalAgeGroupClassification": null,
    "mail": "adproject@cloudconformity.com",
    "mobile": null,
    "objectId": "abcdabcd-1234-1234-1234-abcd1234abcd",
    "objectType": "User",
    "odata.type": "Microsoft.DirectoryServices.User",
    "onPremisesDistinguishedName": null,
    "onPremisesSecurityIdentifier": null,

    ...

    "refreshTokensValidFromDateTime": "2019-05-02T10:41:42Z",
    "showInAddressList": false,
    "signInNames": [],
    "sipProxyAddress": null,
    "state": null,
    "streetAddress": null,
    "surname": null,
    "telephoneNumber": null,
    "thumbnailPhoto@odata.mediaEditLink": "directoryObjects/abcdabcd-1234-1234-1234-abcd1234abcd/Microsoft.DirectoryServices.User/thumbnailPhoto",
    "usageLocation": null,
    "userIdentities": [],
    "userPrincipalName": "adproject@cloudconformity.com#EXT#@azuremanager@cloudconformity.onmicrosoft.com",
    "userStateChangedOn": "2019-05-02T10:41:42Z",
    "userType": "Guest"
  }
]

If ad user list command output returns configuration metadata for one or more users, as shown in the example above, there are Active Directory guest users available in your Azure account, therefore your Active Directory user configuration is not compliant.

03 Repeat step no. 1 and 2 for each Active Directory (AD) available in your Microsoft Azure cloud account.

Using Microsoft Graph API

01 Execute the following Microsoft Graph API call to list all Azure Active Directory external/guest users within your AD tenant: 

GET https://graph.microsoft.com/beta/users?$filter=userType eq "Guest"

02 The command output should return the existing metadata for each Active Directory guest user currently available in your Azure AD account: 

[
  {
    "accountEnabled": true,
    "creationType": "Invitation",
    "employeeId": null,
    "lastDirSyncTime": null,
    "legalAgeGroupClassification": null,
    "mail": "adproject@cloudconformity.com",
    "objectId": "abcdabcd-1234-1234-1234-abcd1234abcd",
    "objectType": "User",
    "odata.type": "Microsoft.DirectoryServices.User",
    "onPremisesDistinguishedName": null,
    "onPremisesSecurityIdentifier": null,

    ...

    "showInAddressList": false,
    "sipProxyAddress": null,
    "state": null,
    "streetAddress": null,
    "surname": null,
    "telephoneNumber": null,
    "usageLocation": null,
    "userIdentities": [],
    "userPrincipalName": "adproject@cloudconformity.com#EXT#@azuremanager@cloudconformity.onmicrosoft.com",
    "userType": "Guest"
  }
]

If the Graph API call output returns configuration metadata for one or more users, as shown in the example above, there are Active Directory guest users available in your Azure AD account, therefore your Active Directory user configuration is not compliant.

03 Repeat step no. 1 and 2 for each Active Directory (AD) available in your Microsoft Azure cloud account.

Remediation / Resolution

Remove any Active Directory (AD) guest users that are not linked to a business owner or business process, created in your Microsoft Azure cloud account. To delete Azure AD guest users, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at Azure Portal.

03 In the navigation panel, select Users to display all Active Directory users.

04 Select Guest users only from Show dropdown menu to list the guest users available.

05 Select the Azure Active Directory guest user(s) that you want to remove (see Audit section part I to identify the appropriate user(s)).

06 Click on the Delete user button from the dashboard top menu to initiate the removal process.

07 Within Delete selected users confirmation box, choose Yes to delete the selected AD guest user(s).

08 If necessary, repeat steps no. 3 – 7 for each Active Directory (AD) provisioned in your Microsoft Azure cloud account.

Using Azure CLI

01 Run ad user delete command (Windows/macOS/Linux) using the object ID of the guest user that you want to delete as identifier parameter value (see Audit section part II to identify the right user ID), to remove the selected Active Directory (AD) guest user from your Azure cloud account (the CLI command does not produce an output): 

az ad user delete
   --upn-or-object-id abcdabcd-1234-1234-1234-abcd1234abcd

02 Repeat step no. 1 for each guest user available within your Active Directory (AD).

03 Repeat step no. 1 and 2 for each Active Directory (AD) provisioned in your Microsoft Azure cloud account.

Using Microsoft Graph API

01 Run the following Microsoft Graph API call to remove the selected Active Directory guest user (see Audit section part III to identify the right user identifier) from your Azure cloud account: 

DELETE https://graph.microsoft.com/beta/users/abcdabcd-1234-1234-1234-abcd1234abcd

02 If the API request is successful, the call output returns a 204 No Content response code, as shown in the output example below: 

HTTP/1.1 204 No Content

03 Repeat step no. 1 and 2 for each Active Directory (AD) available in your Microsoft Azure cloud account.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Active Directory Guest Users

Risk level: Medium