Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Restrict invitations to users with specific administrative roles only.

Risk Level: High
Cloud Entity: AD Authorization Policy
CloudGuard Rule ID: D9.AZU.IAM.40
Covered by Spectral: No
Category: Active Directory


ADAuthorizationPolicy should have allowInvitesFrom='adminsAndGuestInviters'


From Portal

  1. From Azure Home select the Portal Menu.
  2. Select Azure Active Directory.
  3. In the navigation panel, select Users.
  4. Under All users, select User settings to access Azure Active Directory user settings.
  5. On the 'User settings' configuration page, under 'External users', click 'Manage external collaboration settings'.
  6. Now, under 'Guest invite Settings' select 'Only users assigned to specific admin roles can invite guest users'.
  7. Click Save.

Note: Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.


  1. https://learn.microsoft.com/en-us/azure/active-directory/external-identities/external-collaboration-settings-configure
  2. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations
  3. https://workbench.cisecurity.org/sections/722878/recommendations/1182638

AD Authorization Policy

Represents a policy that can control Azure Active Directory authorization settings.

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset