|   Trend Micro Cloud One™
Open menu

Restrict Invitations to Administrators Only

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: High (should be achieved)
Rule ID: ActiveDirectory-013

Ensure that "Members can invite" policy is set to "No" within your Azure Active Directory (AD) user settings so that non-administrator members cannot invite guest users to collaborate on resources secured by your Azure Active Directory, such as SharePoint sites or certain Azure cloud resources.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Restricting the ability to send invitations to AD administrators only prevents inadvertent access to your Active Directory data and ensures that only authorized accounts have access to your Azure cloud resources.

Audit

To determine if non-admin members can invite guests for collaboration, perform the following actions:

Note: Querying "Members can invite" Active Directory setting configuration using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user settings.

05 On the User settings configuration page, under External users, click Manage external collaboration settings.

06 On Manage external collaboration settings page, verify the Members can invite setting configuration. If Members can invite is set to Yes, the non-administrator members of your directory can invite guest users to collaborate on your secured Active Directory resources, hence the Azure AD external collaboration configuration is not compliant.

07 Repeat steps no. 3 – 6 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

To make sure that only Active Directory (AD) members with administrator roles can invite guest users to your directory by setting "Members can invite" option to "No", perform the following actions:

Note: Configuring Azure Active Directory external collaboration settings to restrict invitations to AD administrators only using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user settings.

05 On the User settings configuration page, under External users, click Manage external collaboration settings.

06 On the Manage external collaboration settings page, select No under Members can invite to disable the non-administrators ability to invite guest users to collaborate on your Active Directory resources.

07 Click Save to apply the configuration changes. If successful, the following message should be displayed: "Successfully saved invitation policy". Once the changes are saved, only Azure Active Directory (AD) administrators can invite guest users to your current directory.

08 Repeat steps no. 3 – 7 for each Active Directory (AD) that you want to reconfigure in order to disable the ability to invite guests to your AD account for non-administrator members.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Restrict Invitations to Administrators Only

Risk level: High