Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Limit guest user permissions.

Suggest Edits

Risk Level: Low
Cloud Entity: AD Authorization Policy
CloudGuard Rule ID: D9.AZU.IAM.42
Covered by Spectral: No
Category: Active Directory

GSL LOGIC

ADAuthorizationPolicy should have guestUserRoleName='Restricted Guest User'

REMEDIATION

From Portal:

  1. Go to Azure Active Directory.
  2. Go to External Identities.
  3. Go to External collaboration settings.
  4. Under Guest user access, change Guest user access restrictions to be 'Guest user access is restricted to properties and memberships of their own directory objects'.
  5. Click Save.

Note: By default, Guest user access restrictions is set to Guest user access is restricted to properties and memberships of their own directory objects.

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#member-and-guest-users
  2. https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions
  3. https://workbench.cisecurity.org/sections/722878/recommendations/1182636

AD Authorization Policy

Represents a policy that can control Azure Active Directory authorization settings.

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago