A significant security vulnerability was recently reported concerning the default guest permissions of Microsoft Azure Active Directory. Here’s how to fix it and stay safe from attackers.
A security vulnerability was recently reported in the default guest permissions of Microsoft Azure Active Directory. Here’s how to fix it and stay safe from attackers.
Microsoft is pushing more collaboration features with Azure Active Directory B2B to enable collaboration between organizations. The external identities used in collaboration use guest accounts, and a typical way to grant guest access is to collaborate with Teams.
Microsoft Enterprise Mobility MVP Daniel Chronlund (https://twitter.com/DanielChronlund) has identified a common flaw in most Azure AD configurations with guest accounts. An attacker can enumerate the Azure AD tenant with commonly used guest access.
At least all of the following information can be compromised with the default setting:
The default setting is set to “Guest users have limited access to properties and memberships of directory objects.” Guest users can connect to Azure AD with a Powershell connection unless blocked with Conditional Access policies.
With Powershell, an attacker can enumerate the whole directory with a simple recursive script, as long as some UPN’s are known and access to UPN’s can be gained with OSINT. Proof of concept for the script can be found here.
To protect the tenant use the “Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)” selection in the External collaboration settings (you can access the setting here)