Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Members Can Invite

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ActiveDirectory-013

Ensure that "Members can invite" policy is set to "No" within your Microsoft Entra ID user settings so that non-administrator members cannot invite guest users to collaborate on resources secured by your Microsoft Entra ID, such as SharePoint sites or certain Azure cloud resources.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Restricting the ability to send invitations to Microsoft Entra ID administrators only prevents inadvertent access to your Microsoft Entra ID data and ensures that only authorized accounts have access to your Azure cloud resources.

Audit

To determine if non-admin members can invite guests for collaboration, perform the following actions:

Note: Querying "Members can invite" Microsoft Entra ID setting configuration using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user settings.

05 On the User settings configuration page, under External users, click Manage external collaboration settings.

06 On Manage external collaboration settings page, verify the Members can invite setting configuration. If Members can invite is set to Yes, the non-administrator members of your directory can invite guest users to collaborate on your secured Microsoft Entra ID resources, hence the Microsoft Entra ID external collaboration configuration is not compliant.

07 Repeat steps no. 3 – 6 for each Microsoft Microsoft Entra ID that you want to examine.

Remediation / Resolution

To make sure that only Microsoft Entra ID members with administrator roles can invite guest users to your directory by setting "Members can invite" option to "No", perform the following actions:

Note: Configuring Microsoft Entra ID external collaboration settings to restrict invitations to Microsoft Entra ID administrators only using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user settings.

05 On the User settings configuration page, under External users, click Manage external collaboration settings.

06 On the Manage external collaboration settings page, select No under Members can invite to disable the non-administrators ability to invite guest users to collaborate on your Microsoft Entra ID resources.

07 Click Save to apply the configuration changes. If successful, the following message should be displayed: "Successfully saved invitation policy". Once the changes are saved, only Microsoft Entra ID administrators can invite guest users to your current directory.

08 Repeat steps no. 3 – 7 for each Microsoft Entra ID that you want to reconfigure in order to disable the ability to invite guests to your Microsoft Entra ID account for non-administrator members.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules