Change this one default setting in your Azure AD

A significant security vulnerability was recently reported concerning the default guest permissions of Microsoft Azure Active Directory. Here’s how to fix it and stay safe from attackers.

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

A security vulnerability was recently reported in the default guest permissions of Microsoft Azure Active Directory. Here’s how to fix it and stay safe from attackers.

Microsoft is pushing more collaboration features with Azure Active Directory B2B to enable collaboration between organizations. The external identities used in collaboration use guest accounts, and a typical way to grant guest access is to collaborate with Teams. 

Microsoft Enterprise Mobility MVP Daniel Chronlund has identified a common flaw in most Azure AD configurations with guest accounts. An attacker can enumerate the Azure AD tenant with commonly used guest access.

At least all of the following information can be compromised with the default setting:

  • Complete map the organization, including management and critical roles
  • Groups memberships and names
  • Security groups
  • Licenses used
  • Tenant information

 

The default setting on Guest permissions is dangerous and should be checked and changed immediately

Screenshot showing the default settings of Azure AD

The default setting is set to “Guest users have limited access to properties and memberships of directory objects.” Guest users can connect to Azure AD with a Powershell connection unless blocked with Conditional Access policies.

With Powershell, an attacker can enumerate the whole directory with a simple recursive script, as long as some UPN’s are known and access to UPN’s can be gained with OSINT. 

Mitigation

Recommended setting for Azure AD: Guest user access is restricted to properties and memberships of their own directory objects

To protect the tenant use the “Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)” selection in the External collaboration settings (you can access the setting here)

Original sources:

Read more about how to secure your company from cyber threats

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this