publishing date icon
November 29, 2021
read time icon
5 min. read

Change this one default setting in your Azure AD

A significant security vulnerability was recently reported concerning the default guest permissions of Microsoft Azure Active Directory. Here’s how to fix it and stay safe from attackers.

Author image
Mika Aalto
Co-founder, CEO
facebook iconLinkedin iconTwitter icon
Post hero image

A security vulnerability was recently reported in the default guest permissions of Microsoft Azure Active Directory. Here’s how to fix it and stay safe from attackers.

Microsoft is pushing more collaboration features with Azure Active Directory B2B to enable collaboration between organizations. The external identities used in collaboration use guest accounts, and a typical way to grant guest access is to collaborate with Teams. 

Microsoft Enterprise Mobility MVP Daniel Chronlund (https://twitter.com/DanielChronlund) has identified a common flaw in most Azure AD configurations with guest accounts. An attacker can enumerate the Azure AD tenant with commonly used guest access.

At least all of the following information can be compromised with the default setting:

  • Complete map the organization, including management and critical roles
  • Groups memberships and names
  • Security groups
  • Licenses used
  • Tenant information

 

The default setting on Guest permissions is dangerous and should be checked and changed immediately

The default setting is set to “Guest users have limited access to properties and memberships of directory objects.” Guest users can connect to Azure AD with a Powershell connection unless blocked with Conditional Access policies.

With Powershell, an attacker can enumerate the whole directory with a simple recursive script, as long as some UPN’s are known and access to UPN’s can be gained with OSINT. Proof of concept for the script can be found here.

 

Mitigation

To protect the tenant use the “Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)” selection in the External collaboration settings (you can access the setting here)

Original sources:

https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions

Subscribe to our newsletter