Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restrict Guest User Access to Their Own Directory Data

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that guest user access is restricted to properties and memberships of their own directory objects in Microsoft Entra ID in order to enhance access security and comply with organization regulations and policies.

Security

Microsoft provides the option to limit what external guest users can access within their organization in Microsoft Entra ID. By default, guest users are assigned a restricted permission level, whereas member users enjoy full user permissions. By setting the guest user access restriction level to Guest user access is restricted to properties and memberships of their own directory objects (most restrictive), guests have no access to other users and group memberships including groups they are a member of. By limiting guest access, you should ensure that these accounts do not have permissions for specific directory tasks, such as listing users, groups, or other directory resources, and they should also be prohibited from being assigned administrative roles within your directory.

Audit

To determine whether external guest users can only access their own directory data, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Microsoft Entra ID blade available at https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview.

03 In the main navigation panel, under Manage, select External Identities.

04 In the left navigation panel, select Overview to access the configuration settings available for Microsoft Entra ID external identities.

05 Under Set up how you want to collaborate, choose Set up external collaboration settings.

06 In the Guest user access section, check the Guest user access restrictions setting value to determine the guest user permission level configured for external collaboration. If Guest user access restrictions is not set to Guest user access is restricted to properties and memberships of their own directory objects (most restrictive), the guest user permission level configured for your Microsoft Entra organization's external collaboration is not compliant.

Using Azure PowerShell

01 Run Connect-MgGraph PowerShell command to connect to Microsoft Graph with the Microsoft Entra ID tenant specified by the -TenantId parameter (replace \<tenant-name\> with your own tenant name): 

Connect-MgGraph -TenantId .onmicrosoft.com -Scopes "Policy.ReadWrite.Authorization"

02 Run Get-MgPolicyAuthorizationPolicy PowerShell command with custom output filters to determine the guest user permission level configured for external collaboration. There are three permission levels: Same as member users (guest users have the same access to organization resources as member users; level ID: a0b1b346-4d3e-4e8b-98f8-753987be4970), Limited access (guest users can see membership of all non-hidden groups; ID: 10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted access (guest users can't see membership of any groups; ID: 2af84b1e-32c8-42b7-82bc-daa82404023b). For compliance, the permission level should be Restricted access (i.e., 2af84b1e-32c8-42b7-82bc-daa82404023b): 

Get-MgPolicyAuthorizationPolicy | Select-Object GuestUserRoleId

03 The command output should return the ID of the guest user permission level configured for external collaboration: 

GuestUserRoleId
---------------
a0b1b346-4d3e-4e8b-98f8-753987be4970

If the GuestUserRoleId attribute value is not set to 2af84b1e-32c8-42b7-82bc-daa82404023b (i.e., Restricted access), the guest user permission level configured for your Microsoft Entra organization's external collaboration is not compliant.

Remediation / Resolution

To ensure that external guest users can only access their own directory data, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Microsoft Entra ID blade available at https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview.

03 In the main navigation panel, under Manage, select External Identities.

04 In the left navigation panel, select Overview to access the configuration settings available for Microsoft Entra ID external identities.

05 Under Set up how you want to collaborate, choose Set up external collaboration settings.

06 In the Guest user access section, set the Guest user access restrictions configuration setting to Guest user access is restricted to properties and memberships of their own directory objects (most restrictive) to change the permission level for Microsoft Entra organization's external collaboration to Restricted access (recommended). This will allow guest users to access only their own directory data. Choose Save to apply the configuration settings.

Using Azure PowerShell

01 Run Update-MgPolicyAuthorizationPolicy PowerShell command to update the default authorization policy in order to set the permission level for Microsoft Entra organization's external collaboration to Restricted access (i.e., 2af84b1e-32c8-42b7-82bc-daa82404023b): 

Update-MgPolicyAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'

References

Publication date Feb 12, 2025

Related ActiveDirectory rules