Azure-ActiveDirectory-Ensure-No-Guest-User

Severity : High

Description: This control ensures that guest users are reviewed and removed on timely basis. Guest users are usually users that are invited from outside the company structure, these users are not part of the onboarding/offboarding process and could be overlooked, causing security vulnerabilities.

Remediation Steps:

Perform following to Remove all non-required guest users :

1. Login to Azure Portal using https://portal.azure.com.

2. Go to Azure Active Directory service.

3. Go to Users.

4. Select to All Users.

5. Click on Add filters.

6. Select User type as Guest and apply the filter.

7. Delete all guest users that are no longer required or are inactive.

Important:

• This control is not applicable for Azure Government.

• It is good practice to use a dynamic group to manage guest users

Reference:

• CIS Microsoft Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #1.3

• https://blogs.microsoft.com/firehose/2017/06/14/now-you-can-invite-guest-users-to-azure-analysis-services-with-azure-active-directory-b2b/