Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
Restrict invitations to users with specific administrative roles only.
Risk Level: High
Cloud Entity: AD Authorization Policy
CloudGuard Rule ID: D9.AZU.IAM.40
Covered by Spectral: No
Category: Active Directory
GSL LOGIC
ADAuthorizationPolicy should have allowInvitesFrom='adminsAndGuestInviters'
REMEDIATION
From Portal
- From Azure Home select the Portal Menu.
- Select Azure Active Directory.
- In the navigation panel, select Users.
- Under All users, select User settings to access Azure Active Directory user settings.
- On the 'User settings' configuration page, under 'External users', click 'Manage external collaboration settings'.
- Now, under 'Guest invite Settings' select 'Only users assigned to specific admin roles can invite guest users'.
- Click Save.
Note: Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.
References
- https://learn.microsoft.com/en-us/azure/active-directory/external-identities/external-collaboration-settings-configure
- https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations
- https://workbench.cisecurity.org/sections/722878/recommendations/1182638
AD Authorization Policy
Represents a policy that can control Azure Active Directory authorization settings.
Compliance Frameworks
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago