Control: 1.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
Description
Restrict invitations to users with specific administrative roles only.
Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data.
By default the setting Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Azure Active Directory
. - Then
External Identities
. - Select
External collaboration settings
. - Under
Guest invite settings
, forGuest invite restrictions
, ensure thatOnly users assigned to specific admin roles can invite guest users
is selected.
Default Value
By default, Guest invite restrictions
is set to Anyone in the organization can invite guest users including guests and non-admins
.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v200_1_16
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v200_1_16 --share
SQL
This control uses a named query:
ad_manual_control