This blog shows you why it’s really important that you don’t forget to lock down your guest users! In the past, I already did 2 blogs about locking down the Azure Ad Portal. Go read them first to learn why it’s important to lock down your Azure AD
After we have read those 2 blogs above, it’s time to divide this blog into multiple parts
- The default Setting and why it’s bad
- Taking a good look at the groups as a guest user
- Changing the default setting
1.The Default setting and why it’s bad
Restricting guest access is very important because when you don’t have changed anything in your tenant a guest user could easily list all users in a specific group.
Please note that with the above setting it IS NOT possible to list users, but why list users as you could just list group memberships?
2. Taking a good look at the groups as a Guest user
Let’s see it for ourselves. Open a PowerShell session and connect to the right Azure Ad tenant as the guest user.
Like I told you in the first part, it isn’t possible to list all users. If you don’t believe me, just try it out yourself 🙂 !
But just like in the old school Active Directory, you could easily run the net group “domain users” /domain or just run the net session \\servername and all of the users were shown! So let’s just do the same with Azure Ad!
To do so we need to have the UPN of the user we want to dig into…. but I guess that’s easy as we just need 1 UPN to start the reconnaissance phase!
get-azureadusermembership -objectid(get-azureaduser -objectid ‘upn’).userprincipalname
let’s take a look at the results we get back when launching this command! As an example, we are using a licensing group to make sure all users get the proper license.
Now we have the Group object id, let’s list all the members, with this command: get-azureadgroupmember -all:$true -objectid ‘groupid’
With this information, we can perform a get-azureaduser -objectid ‘upn’ | fl to get more information about the specific user. Please note… we can do this for all users!
3. Changing the Default Setting
Normally you don’t want a guest user to see the membership of any groups. Of course, there are some situations you don’t want to change this setting.
You can simply change this in the user manage external collaboration settings inside the Azure Ad portal.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/AllowlistPolicyBlade
Of course, you could also just use PowerShell. Add this setting to your Enrollment template so when enrolling a new customer, this setting will not be forgotten.
get-AzureADMSAuthorizationPolicy | Set-AzureADMSAuthorizationPolicy -GuestUserRoleId ‘2af84b1e-32c8-42b7-82bc-daa82404023b’
Please note: That you could experience some issues with Teams because searching for users could be ‘restricted’
Conclusion:
The addition of restricting the group membership enumeration, so guest users are in the dark is very nice. Nothing to add…
When you are interested in some other blogs about locking down your tenant
The return of the Azure ad Portal – Call4Cloud
The Azure AD portal strikes back – Call4Cloud when security matters