Ensure that "Guests can invite" setting is set to "No" in your Microsoft Entra ID user settings so that the guest users within your directory cannot invite themselves other guests to collaborate on cloud resources secured by your Microsoft Entra ID account.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Security Microsoft Entra ID external collaboration settings are enabling you to turn guest invitations on or off for different types of users available in your organization. To ensure that only authorized guest users have access to your Azure cloud resources, allow only Microsoft Entra ID administrators to send invitations for collaboration by disabling "Guests can invite" feature. This should help maintain need-to-know permissions and prevents unintended access to your Azure data.
Audit
To determine if guest users can invite themselves other guest users for collaboration, perform the following actions:
Note: Getting "Guests can invite" Microsoft Entra ID setting configuration using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
To make sure that your Microsoft Entra ID guest users cannot invite themselves other guest users to collaborate and use your Microsoft Entra ID resources by setting " Guests can invite" to "No", perform the following actions:
Note: Configuring Microsoft Entra ID external collaboration settings to restrict guest invitations using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Microsoft Entra built-in roles
- Configure external collaboration settings
- CIS Microsoft Azure Foundations