Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
Limit guest user permissions.
Risk Level: Low
Cloud Entity: AD Authorization Policy
CloudGuard Rule ID: D9.AZU.IAM.42
Covered by Spectral: No
Category: Active Directory
GSL LOGIC
ADAuthorizationPolicy should have guestUserRoleName='Restricted Guest User'
REMEDIATION
From Portal:
- Go to Azure Active Directory.
- Go to External Identities.
- Go to External collaboration settings.
- Under Guest user access, change Guest user access restrictions to be 'Guest user access is restricted to properties and memberships of their own directory objects'.
- Click Save.
Note: By default, Guest user access restrictions is set to Guest user access is restricted to properties and memberships of their own directory objects.
References:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#member-and-guest-users
- https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions
- https://workbench.cisecurity.org/sections/722878/recommendations/1182636
AD Authorization Policy
Represents a policy that can control Azure Active Directory authorization settings.
Compliance Frameworks
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago