|   Trend Micro Cloud One™
Open menu

Limit Guest User Permissions

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: High (not acceptable risk)
Rule ID: ActiveDirectory-012

Ensure that "Guest user permissions are limited" safety feature is enabled within your Azure Active Directory (AD) settings in order to implement the principle of least privilege and enhance the access security to your Active Directory account. The principle of least privilege represents the practice of providing every user the minimal amount of access required to perform successfully its tasks.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

When "Guest user permissions are limited" feature is disabled, guests have the same access to your AD data that regular users have in your directory. By enabling the feature (i.e. limiting guest access) you have the guarantee that guest accounts do not have permission for certain Active Directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles within your Azure AD account.

Audit

To determine if user permissions for Active Directory guest users are limited, perform the following actions:

Note: Obtaining "Guest users permissions are limited" AD setting status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user settings.

05 On the User settings configuration page, under External users, click Manage external collaboration settings.

06 On the Manage external collaboration settings page, verify the Guest users permissions are limited setting configuration. If the option is set to No, the Active Directory (AD) guest users permissions are limited, thus the Azure AD user configuration is not compliant.

07 Repeat steps no. 3 – 6 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

To implement the principle of least privilege within your Azure Active Directory account and set "Guest users permissions are limited" to "Yes", perform the following actions:

Note: Configuring Azure AD external collaboration settings in order to limit guest users' permissions using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user settings.

05 On the User settings configuration page, under External users, click Manage external collaboration settings.

06 On Manage external collaboration settings page, select Yes under Guest users permissions are limited to limit Active Directory (AD) guest users permissions so these users receive the same access to AD data that regular users have in your directory.

07 Click Save to apply the configuration changes. If the request is successful, the following message should be displayed: "Successfully saved invitation policy". Once the changes are saved, the guest users should not have permissions anymore for certain Active Directory tasks, such as enumerate users, groups, or other directory resources.

08 Repeat steps no. 3 – 7 for each Active Directory (AD) that you want to reconfigure in order to limit guest user permissions.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Limit Guest User Permissions

Risk level: High