Ensure Guest Users Are Reviewed on a Regular Basis (Manual)

Overview

Microsoft Entra ID is extended to include Azure AD B2B collaboration, allowing you to invite people outside your organization to be guest users in your cloud account and sign in with their work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization while maintaining control over your corporate data.

Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their credentials to access your company's resources as guest users.

Guest users in every subscription should be reviewed regularly to ensure that inactive and unneeded accounts are removed.

Rationale

Guest users in the Microsoft Entra ID are generally required for collaboration purposes in Office 365 and may also be required for Azure functions in enterprises with multiple Azure tenants. Guest users are typically added outside your employee onboarding/offboarding process and could be overlooked indefinitely, leading to a potential vulnerability. To prevent this, guest users should be reviewed regularly. During this audit, guest users should also be determined not to have administrative privileges.

Impact

Before removing guest users, determine their use and scope. Like removing any user, there may be unforeseen consequences to systems if it is deleted.

Default Value

By default, there are no guest users.

Additional Information

It is good practice to use a dynamic security group to manage guest users.

To create the dynamic security group:

Navigate to the Microsoft Entra ID blade in the Azure Portal
Select the Groups item
Create new
Type of dynamic
Use the following dynamic selection rule. (user.userType -eq "Guest")
Once the group has been created, select access reviews option and create a new access review with a monthly period, and send it to relevant administrators for review.

Remediation guidance

The Cyscale identity dashboard can simplify your review process.

From Azure Portal

Open the Entra ID Users page
Click on Add filter
Select User type
Select Guest from the Value drop-down
Click Apply
Delete all Guest users that are no longer required or are inactive

From Azure CLI

Before deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems.

az ad user update --id <[email protected]> --account-enabled {false}

After determining that there are no dependent systems, delete the user.

Remove-AzureADUser -ObjectId <[email protected]>

From Azure PowerShell

Before deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems.

Set-AzureADUser -ObjectId "<[email protected]>" -AccountEnabled false

After determining that there are no dependent systems, delete the user.

PS C:\>Remove-AzureADUser -ObjectId <[email protected]>

Multiple Remediation Paths

SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.

ASSET-LEVEL: Fix only the affected resources identified by this control.

PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.

References for Service-Wide Patterns

Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.

Query logic

These are the stored checks tied to this control.

Entra Guest Users

Connectors

Microsoft Entra ID

Covered asset types

User

Expected check: eq []

{
  users(where: { userType: "Guest" }) {
    ...AssetFragment
  }
}