A security vulnerability was recently reported in the default guest permissions of Microsoft Azure Active Directory. Here’s how to fix it and stay safe from attackers.
Microsoft is pushing more collaboration features with Azure Active Directory B2B to enable collaboration between organizations. The external identities used in collaboration use guest accounts, and a typical way to grant guest access is to collaborate with Teams.
Microsoft Enterprise Mobility MVP Daniel Chronlund has identified a common flaw in most Azure AD configurations with guest accounts. An attacker can enumerate the Azure AD tenant with commonly used guest access.
At least all of the following information can be compromised with the default setting:
- Complete map the organization, including management and critical roles
- Groups memberships and names
- Security groups
- Licenses used
- Tenant information
The default setting on Guest permissions is dangerous and should be checked and changed immediately
The default setting is set to “Guest users have limited access to properties and memberships of directory objects.” Guest users can connect to Azure AD with a Powershell connection unless blocked with Conditional Access policies.
With Powershell, an attacker can enumerate the whole directory with a simple recursive script, as long as some UPN’s are known and access to UPN’s can be gained with OSINT.
Mitigation
To protect the tenant use the “Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)” selection in the External collaboration settings (you can access the setting here)
Original sources:
- Scary Azure Ad Tenant Enumeration Using Regular B2B Guest Accounts
- Users Restrict Guest Permissions