Ensure Guest Users Are Reviewed on a Regular Basis

Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities.

Risk Level: Low
Cloud Entity: AD Access Reviews Schedule Definition
CloudGuard Rule ID: D9.AZU.IAM.41
Covered by Spectral: No
Category: Active Directory

GSL LOGIC

List<ADAccessReviewsScheduleDefinition> should have items with [settings.recurrence.pattern.type in ('absoluteMonthly', 'weekly') and status='InProgress' ]  length()>0

REMEDIATION

From Portal:

  1. Go to Azure Active Directory
  2. Go to Users and group
  3. Go to All Users
  4. Click on Add filters button, select User type, click Apply, select Guest, click Apply
  5. Delete all 'Guest' users that are no longer required or are inactive.

It is good practice to use a dynamic group to manage guest users.
To create the dynamic group:

  1. Navigate to the Active Directory blade in the Azure Portal
  2. Select the Groups item
  3. Create new
  4. Type of dynamic
  5. Use the following dynamic selection rule'(user.userType -eq 'Guest')'
  6. Once the group has been created, select access reviews option and create a new access review with a period of monthly/weekly and send to relevant administrators for review.

From Command Line
Use below query to list all Guest users.Ensure all users listed are not inactive and still required.

az ad user list --query '[?userType=='Guest']'

References:

  1. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory#delete-a-user
  2. https://workbench.cisecurity.org/sections/722878/recommendations/1182618
  3. https://learn.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest#az-ad-user-list

AD Access Reviews Schedule Definition

Azure AD access reviews are used to configure one-time or recurring access reviews for attestation of a principal's right to access Azure AD resources.

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset