Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Limit Guest User Invites to Administrators

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that only users with "User Administrator" or "Guest Inviter" roles can invite guest users to your Microsoft Entra directory to collaborate on resources secured by your organization, such as SharePoint sites or Azure cloud resources.

Security

By default, every user in your organization, including guest users invited for B2B collaboration, can extend invitations to external users. This means that anyone within the organization has the potential to invite guests and non-administrators to the tenant, which could create security vulnerabilities. If you wish to control who can send invitations, you have the option to enable or disable invitations for everyone, or to restrict this capability to specific roles. By restricting guest invitations to users with administrator roles, such as "User Administrator" or "Guest Inviter" roles, you can ensure that only authorized accounts have access to your cloud resources. This strategy enforces the Principle of Least Privilege (POLP) and minimizes the risk of unauthorized access to sensitive data.

Audit

To determine whether only administrators can invite guest users to collaborate on your organization resources, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Microsoft Entra ID blade available at https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview.

03 In the main navigation panel, under Manage, select External Identities.

04 In the left navigation panel, select Overview to access the configuration settings available for Microsoft Entra ID external identities.

05 Under Set up how you want to collaborate, choose Set up external collaboration settings.

06 In the Guest invite settings section, check the Guest invite restrictions setting value to determine the level of restriction configured for external collaboration. If Guest invite restrictions is not set to Only users assigned to specific admin roles can invite guest users, guest invitations are not restricted to users with administrative roles only. Therefore, the level of restriction configured for external collaboration is not compliant.

Using Azure PowerShell

01 Run Connect-MgGraph PowerShell command to connect to Microsoft Graph with the Microsoft Entra ID tenant specified by the -TenantId parameter (replace \<tenant-name\> with your own tenant name): 

Connect-MgGraph -TenantId <tenant-name>.onmicrosoft.com -Scopes "Policy.ReadWrite.Authorization"

02 Run Get-MgPolicyAuthorizationPolicy PowerShell command with custom output filters to determine the level of restriction configured for external collaboration. There are four restriction levels: everyone (anyone in your organization can invite guest users including guests and non-admins), adminsGuestInvitersAndAllMembers (member users and users with specific administrator roles can invite guest users including guests with member permissions), adminsAndGuestInviters (only users with administrator-based roles can invite guest users - recommended), and none (no one in your organization can invite guest users including administrator). For compliance, the restriction level should be adminsAndGuestInviters (i.e., only users with administrator roles can invite guest users): 

Get-MgPolicyAuthorizationPolicy | Select-Object AllowInvitesFrom

03 The command output should return the name of the restriction level configured for external collaboration: 

AllowInvitesFrom
---------------
everyone

If the AllowInvitesFrom attribute value is not set to adminsAndGuestInviters, guest invitations are not restricted to users with administrative roles only. Therefore, the level of restriction configured for external collaboration is not compliant.

Remediation / Resolution

To ensure that only users with specific administrator roles, such as User Administrator or Guest Inviter roles, can invite guest users to collaborate on your organization resources, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Microsoft Entra ID blade available at https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview.

03 In the main navigation panel, under Manage, select External Identities.

04 In the left navigation panel, select Overview to access the configuration settings available for Microsoft Entra ID external identities.

05 Under Set up how you want to collaborate, choose Set up external collaboration settings.

06 In the Guest invite settings section, set the Guest invite restrictions configuration setting to Only users assigned to specific admin roles can invite guest users to change the restriction level for guest invitations to adminsAndGuestInviters (recommended). This will ensure that guest invitations are restricted to users with administrative roles only. Choose Save to apply the configuration settings.

Using Azure PowerShell

01 Run Update-MgPolicyAuthorizationPolicy PowerShell command to update the default authorization policy in order to set the restriction level for guest invitations to adminsAndGuestInviters (i.e., only users with administrator-based roles can invite guest users): 

Update-MgPolicyAuthorizationPolicy -AllowInvitesFrom 'adminsAndGuestInviters'

References

Publication date Feb 12, 2025

Related ActiveDirectory rules