Call4Cloud

The Place Beyond the Guests

This blog shows you why it’s really important that you don’t forget to lock down your guest users! In the past, I already did 2 blogs about locking down the Azure Ad Portal. Go read them first to learn why it’s important to lock down your Azure AD

After we have read those 2 blogs above, it’s time to divide this blog into multiple parts

  1. The default Setting and why it’s bad
  2. Taking a good look at the groups as a guest user
  3. Changing the default setting

1.The Default setting and why it’s bad

Restricting guest access is very important because when you don’t have changed anything in your tenant a guest user could easily list all users in a specific group.

Please note that with the above setting it IS NOT possible to list users, but why list users as you could just list group memberships?

2. Taking a good look at the groups as a Guest user

Let’s see it for ourselves. Open a PowerShell session and connect to the right Azure Ad tenant as the guest user.

Like I told you in the first part, it isn’t possible to list all users. If you don’t believe me, just try it out yourself 🙂 !

But just like in the old school Active Directory, you could easily run the net group “domain users” /domain or just run the net session \\servername and all of the users were shown! So let’s just do the same with Azure Ad!

To do so we need to have the UPN of the user we want to dig into…. but I guess that’s easy as we just need 1 UPN to start the reconnaissance phase!

get-azureadusermembership -objectid(get-azureaduser -objectid ‘upn’).userprincipalname

let’s take a look at the results we get back when launching this command! As an example, we are using a licensing group to make sure all users get the proper license.

Now we have the Group object id, let’s list all the members, with this command: get-azureadgroupmember -all:$true -objectid ‘groupid’

With this information, we can perform a get-azureaduser -objectid ‘upn’ | fl to get more information about the specific user. Please note… we can do this for all users!

3. Changing the Default Setting

Normally you don’t want a guest user to see the membership of any groups. Of course, there are some situations you don’t want to change this setting.

You can simply change this in the user manage external collaboration settings inside the Azure Ad portal.

https://portal.azure.com/#blade/Microsoft_AAD_IAM/AllowlistPolicyBlade

Of course, you could also just use PowerShell. Add this setting to your Enrollment template so when enrolling a new customer, this setting will not be forgotten.

get-AzureADMSAuthorizationPolicy | Set-AzureADMSAuthorizationPolicy -GuestUserRoleId ‘2af84b1e-32c8-42b7-82bc-daa82404023b’

Please note: That you could experience some issues with Teams because searching for users could be ‘restricted’

Conclusion:

The addition of restricting the group membership enumeration, so guest users are in the dark is very nice. Nothing to add…

Top 30 Nothing To See Here GIFs | Find the best GIF on Gfycat

When you are interested in some other blogs about locking down your tenant

The return of the Azure ad Portal – Call4Cloud

The Azure AD portal strikes back – Call4Cloud when security matters

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  60  =  65