Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Microsoft Entra ID Guest Users

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ActiveDirectory-003

For a Microsoft Azure business-to-business (B2B) collaboration, each Microsoft Entra ID guest user needs to be associated with a business owner or business process. When there is no need for B2B collaboration, ensure that there are no Microsoft Entra ID guest users available within your Microsoft Azure account.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

A Microsoft Entra business-to-business (B2B) collaboration is used to securely share your applications and services with guest users and external partners from other organizations, while maintaining full control over your own data. Microsoft Entra ID is configured to handle B2B collaborations, allowing you to invite people from outside your organization to be guest users within your Azure cloud account. Unless you have a real business need that requires to provide guest access to external users, avoid creating such guest users. Microsoft Entra ID guest users are usually added outside the employee onboarding/offboarding process managed by your company and this can eventually lead to potential security vulnerabilities.

Audit

To determine if there are any Microsoft Entra ID guest users available in your Azure account, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users to list all Microsoft Entra ID users.

04 Select Guest users only from Show dropdown menu to return the guest users available (if any). If one or more users are listed, there are Microsoft Entra ID guest users created within your Azure account, thus your Microsoft Entra ID user configuration is not compliant.

05 Repeat step no. 3 and 4 for each Microsoft Entra ID available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run ad user list command (Windows/macOS/Linux) using query filters to list all Azure Microsoft Entra ID guest users: 

az ad user list
  --query "[?userType=='Guest']"

02 The command output should return the configuration metadata for each Microsoft Entra ID guest user currently available in your Azure account (if any): 

[
	{
		"accountEnabled": true,
		"createdDateTime": "2019-05-01T10:47:42Z",
		"creationType": "Invitation",
		"employeeId": null,
		"jobTitle": null,
		"lastDirSyncTime": null,
		"legalAgeGroupClassification": null,
		"mail": "adproject@cloudconformity.com",
		"mobile": null,
		"objectId": "abcdabcd-1234-1234-1234-abcd1234abcd",
		"objectType": "User",
		"odata.type": "Microsoft.DirectoryServices.User",
		"onPremisesDistinguishedName": null,
		"onPremisesSecurityIdentifier": null,

		...

		"refreshTokensValidFromDateTime": "2019-05-02T10:41:42Z",
		"showInAddressList": false,
		"signInNames": [],
		"sipProxyAddress": null,
		"state": null,
		"streetAddress": null,
		"surname": null,
		"telephoneNumber": null,
		"thumbnailPhoto@odata.mediaEditLink": "directoryObjects/abcdabcd-1234-1234-1234-abcd1234abcd/Microsoft.DirectoryServices.User/thumbnailPhoto",
		"usageLocation": null,
		"userIdentities": [],
		"userPrincipalName": "adproject@cloudconformity.com#EXT#@azuremanager@cloudconformity.onmicrosoft.com",
		"userStateChangedOn": "2019-05-02T10:41:42Z",
		"userType": "Guest"
	}
]

If ad user list command output returns configuration metadata for one or more users, as shown in the example above, there are Microsoft Entra ID guest users available in your Azure account, therefore your Microsoft Entra ID user configuration is not compliant.

03 Repeat step no. 1 and 2 for each Microsoft Entra ID available in your Microsoft Azure cloud account.

Using Microsoft Graph API

01 Execute the following Microsoft Graph API call to list all Microsoft Entra ID external/guest users within your Microsoft Entra ID tenant: 

	GET https://graph.microsoft.com/beta/users?$filter=userType eq "Guest"

02 The command output should return the existing metadata for each Microsoft Entra ID guest user currently available in your Microsoft Entra ID account: 

	[
		{
			"accountEnabled": true,
			"creationType": "Invitation",
			"employeeId": null,
			"lastDirSyncTime": null,
			"legalAgeGroupClassification": null,
			"mail": "adproject@cloudconformity.com",
			"objectId": "abcdabcd-1234-1234-1234-abcd1234abcd",
			"objectType": "User",
			"odata.type": "Microsoft.DirectoryServices.User",
			"onPremisesDistinguishedName": null,
			"onPremisesSecurityIdentifier": null,

			...

			"showInAddressList": false,
			"sipProxyAddress": null,
			"state": null,
			"streetAddress": null,
			"surname": null,
			"telephoneNumber": null,
			"usageLocation": null,
			"userIdentities": [],
			"userPrincipalName": "adproject@cloudconformity.com#EXT#@azuremanager@cloudconformity.onmicrosoft.com",
			"userType": "Guest"
		}
	]

If the Graph API call output returns configuration metadata for one or more users, as shown in the example above, there are Microsoft Entra ID guest users available in your Microsoft Entra ID account, therefore your Microsoft Entra ID user configuration is not compliant.

03 Repeat step no. 1 and 2 for each Microsoft Entra ID available in your Microsoft Azure cloud account.

Remediation / Resolution

Remove any Microsoft Entra ID guest users that are not linked to a business owner or business process, created in your Microsoft Azure cloud account. To delete Microsoft Entra ID guest users, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users to display all Microsoft Entra ID users.

04 Select Guest users only from Show dropdown menu to list the guest users available.

05 Select the Microsoft Entra ID guest user(s) that you want to remove (see Audit section part I to identify the appropriate user(s)).

06 Click on the Delete user button from the dashboard top menu to initiate the removal process.

07 Within Delete selected users confirmation box, choose Yes to delete the selected Microsoft Entra ID guest user(s).

08 If necessary, repeat steps no. 3 – 7 for each Microsoft Entra ID provisioned in your Microsoft Azure cloud account.

Using Azure CLI

01 Run ad user delete command (Windows/macOS/Linux) using the object ID of the guest user that you want to delete as identifier parameter value (see Audit section part II to identify the right user ID), to remove the selected Microsoft Entra ID guest user from your Azure cloud account (the CLI command does not produce an output): 

az ad user delete
  --upn-or-object-id abcdabcd-1234-1234-1234-abcd1234abcd

02 Repeat step no. 1 for each guest user available within your Microsoft Entra ID.

03 Repeat step no. 1 and 2 for each Microsoft Entra ID provisioned in your Microsoft Azure cloud account.

Using Microsoft Graph API

01 Run the following Microsoft Graph API call to remove the selected Microsoft Entra ID guest user (see Audit section part III to identify the right user identifier) from your Azure cloud account: 

	DELETE https://graph.microsoft.com/beta/users/abcdabcd-1234-1234-1234-abcd1234abcd

02 If the API request is successful, the call output returns a 204 No Content response code, as shown in the output example below: 

	HTTP/1.1 204 No Content

03 Repeat step no. 1 and 2 for each Microsoft Entra ID available in your Microsoft Azure cloud account.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules