lacework-global-499
1.4 Ensure Guest Users Are Reviewed on a Regular Basis (Manual)
Profile Applicability
• Level 1
Description
Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data.
Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user.
Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed.
Rationale
Guest users in the Azure AD are generally required for collaboration purposes in Office 365, and may also be required for Azure functions in enterprises with multiple Azure tenants. Guest users are typically added outside your employee on-boarding/off-boarding process and could potentially be overlooked indefinitely, leading to a potential vulnerability. To prevent this, guest users should be reviewed on a regular basis. During this audit, guest users should also be determined to not have administrative privileges.
Impact
Before removing guest users, determine their use and scope. Like removing any user, there may be unforeseen consequences to systems if it is deleted.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directory
- Then
Users and group
- Select
All Users
- Click on
Add filters
button, selectUser type
, clickApply
, selectGuest
, clickApply
- Audit the listed guest users.
From Azure CLI
az ad user list --query "[?userType=='Guest']"
Ensure all users listed are still required and not inactive.
From Azure Powershell
Get-AzureADUser |Where-Object {$_.UserType -like "Guest"} |Select-Object DisplayName, UserPrincipalName, UserType -Unique
Remediation
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directory
- Then
Users and group
- Select
All Users
- Click on
Add filters
button, selectUser type
, clickApply
, selectGuest
, clickApply
- Delete all
Guest
users that are no longer required or are inactive.
From Azure CLI
Before deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems.
az ad user update --id <exampleaccountid@domain.com> --account-enabled {false}
After determining that there are no dependent systems delete the user.
Remove-AzureADUser -ObjectId <exampleaccountid@domain.com>
From Azure Powershell
Before deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems.
Set-AzureADUser -ObjectId "<exampleaccountid@domain.com>" -AccountEnabled false
After determining that there are no dependent systems delete the user.
PS C:\>Remove-AzureADUser -ObjectId <exampleaccountid@domain.com>
References
https://docs.microsoft.com/en-us/azure/active-directory/b2b/user-properties
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory#delete-a-user
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-3-review-and-reconcile-user-access-regularly
https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-restore
Additional Information
It is good practice to use a dynamic group to manage guest users.
To create the dynamic group:
- Navigate to the 'Active Directory' blade in the Azure Portal
- Select the 'Groups' item
- Create new
- Type of 'dynamic'
- Use the following dynamic selection rule. "(user.userType -eq "Guest")"
- Once the group has been created, select access reviews option and create a new access review with a period of monthly and send to relevant administrators for review.