|   Trend Micro Cloud One™
Open menu

Restrict Guest User Invitations

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: High (should be achieved)
Rule ID: ActiveDirectory-014

Ensure that "Guests can invite" setting is set to "No" in your Azure Active Directory (AD) user settings so that the guest users within your directory cannot invite themselves other guests to collaborate on cloud resources secured by your Active Directory account.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Active Directory external collaboration settings are enabling you to turn guest invitations on or off for different types of users available in your organization. To ensure that only authorized guest users have access to your Azure cloud resources, allow only AD administrators to send invitations for collaboration by disabling "Guests can invite" feature. This should help maintain need-to-know permissions and prevents unintended access to your Azure data.

Audit

To determine if guest users can invite themselves other guest users for collaboration, perform the following actions:

Note: Getting "Guests can invite" Active Directory setting configuration using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user settings.

05 On the User settings configuration page, under External users, click Manage external collaboration settings.

06 On Manage external collaboration settings page, check the Guests can invite setting configuration. If the verified setting is set to Yes, Active Directory (AD) guest users are allowed to invite other guest users to collaborate with your organization, thus your Azure AD external collaboration configuration is not compliant.

07 Repeat steps no. 3 – 6 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

To make sure that your AD guest users cannot invite themselves other guest users to collaborate and use your Active Directory resources by setting " Guests can invite" to "No", perform the following actions:

Note: Configuring Azure Active Directory external collaboration settings to restrict guest invitations using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user settings.

05 On the User settings configuration page, under External users, click Manage external collaboration settings.

06 On the Manage external collaboration settings page, select No under Guests can invite to restrict guest users' ability to invite other guests to collaborate with your organization and to use your Active Directory and Azure cloud resources.

07 Click Save to apply the configuration changes. If successful, the following message should be displayed: "Successfully saved invitation policy".

08 Repeat steps no. 3 – 7 for each Active Directory (AD) that you want to reconfigure in order to restrain guest users from sending invitation for collaboration to other guests.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Restrict Guest User Invitations

Risk level: High