Risk Level: Low
Cloud Entity: AD Access Reviews Schedule Definition
CloudGuard Rule ID: D9.AZU.IAM.41
Covered by Spectral: No
Category: Active Directory

GSL LOGIC

List<ADAccessReviewsScheduleDefinition> should have items with [settings.recurrence.pattern.type in ('absoluteMonthly', 'weekly') and status='InProgress' ]  length()>0

REMEDIATION

From Portal:

Go to Azure Active Directory
Go to Users and group
Go to All Users
Click on Add filters button, select User type, click Apply, select Guest, click Apply
Delete all 'Guest' users that are no longer required or are inactive.

It is good practice to use a dynamic group to manage guest users.
To create the dynamic group:

Navigate to the Active Directory blade in the Azure Portal
Select the Groups item
Create new
Type of dynamic
Use the following dynamic selection rule 'user.userType -eq 'Guest'
Once the group has been created, select access reviews option and create a new access review with a period of monthly/weekly and send to relevant administrators for review.

From Command Line
Use below query to list all Guest users. Ensure all users listed are not inactive and still required.

az ad user list --query '[?userType==`Guest`]'

References:

AD Access Reviews Schedule Definition

Azure AD access reviews are used to configure one-time or recurring access reviews for attestation of a principal's right to access Azure AD resources.

Compliance Frameworks

Azure CIS Foundations v. 1.2.0
Azure CIS Foundations v. 1.3.0
Azure CIS Foundations v. 1.3.1
Azure CIS Foundations v. 1.4.0
Azure CIS Foundations v. 1.5.0
Azure CIS Foundations v.2.0
Azure CSA CCM v.4.0.1
Azure CloudGuard Best Practices
Azure NIST 800-53 Rev 5
CloudGuard Azure All Rules Ruleset