Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Guests Can Invite

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ActiveDirectory-014

Ensure that "Guests can invite" setting is set to "No" in your Microsoft Entra ID user settings so that the guest users within your directory cannot invite themselves other guests to collaborate on cloud resources secured by your Microsoft Entra ID account.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Microsoft Entra ID external collaboration settings are enabling you to turn guest invitations on or off for different types of users available in your organization. To ensure that only authorized guest users have access to your Azure cloud resources, allow only Microsoft Entra ID administrators to send invitations for collaboration by disabling "Guests can invite" feature. This should help maintain need-to-know permissions and prevents unintended access to your Azure data.

Audit

To determine if guest users can invite themselves other guest users for collaboration, perform the following actions:

Note: Getting "Guests can invite" Microsoft Entra ID setting configuration using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user settings.

05 On the User settings configuration page, under External users, click Manage external collaboration settings.

06 On Manage external collaboration settings page, check the Guests can invite setting configuration. If the verified setting is set to Yes, Microsoft Entra ID guest users are allowed to invite other guest users to collaborate with your organization, thus your Microsoft Entra ID external collaboration configuration is not compliant.

07 Repeat steps no. 3 – 6 for each Microsoft Microsoft Entra ID that you want to examine.

Remediation / Resolution

To make sure that your Microsoft Entra ID guest users cannot invite themselves other guest users to collaborate and use your Microsoft Entra ID resources by setting " Guests can invite" to "No", perform the following actions:

Note: Configuring Microsoft Entra ID external collaboration settings to restrict guest invitations using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user settings.

05 On the User settings configuration page, under External users, click Manage external collaboration settings.

06 On the Manage external collaboration settings page, select No under Guests can invite to restrict guest users' ability to invite other guests to collaborate with your organization and to use your Microsoft Entra ID and Azure cloud resources.

07 Click Save to apply the configuration changes. If successful, the following message should be displayed: "Successfully saved invitation policy".

08 Repeat steps no. 3 – 7 for each Microsoft Entra ID that you want to reconfigure in order to restrain guest users from sending invitation for collaboration to other guests.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Guests Can Invite

Risk Level: Medium