Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 5.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles [...]' or 'No one [..]'

Description

Restrict invitations to either users with specific administrative roles or no one.

Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data.

By default the setting Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.

Remediation

Remediate from Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Entra ID.
  3. Under Manage, select External Identities.
  4. Select External collaboration settings.
  5. Under Guest invite settings, set Guest invite restrictions to either Only users assigned to specific admin roles can invite guest users or No one in the organization [...].
  6. Click Save.

Remediate from Powershell

Enter the following:

Connect-MgGraph
Update-MgPolicyAuthorizationPolicy -AllowInvitesFrom "adminsAndGuestInviters"

Alternatively, to set this to the most restrictive No one in the organization [...] enter the following:

Connect-MgGraph
Update-MgPolicyAuthorizationPolicy -AllowInvitesFrom "none"

Default Value

By default, Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_5_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_5_16 --share

SQL

This control uses a named query:

with distinct_tenant as (
  select
    distinct tenant_id,
    display_name,
    subscription_id,
    _ctx
  from
    azure_tenant
)
select
  id as resource,
  case
    when allow_invites_from in ('adminsAndGuestInviters', 'none') then 'ok'
    else 'alarm'
  end as status,
  case
    when allow_invites_from = 'none'
      then t.display_name || ' guest invitations disabled (no one).'
    when allow_invites_from = 'adminsAndGuestInviters'
      then t.display_name || ' guest invitations restricted to specific admin roles.'
    else
      t.display_name || ' guest invitations are too permissive: allow_invites_from=' || coalesce(allow_invites_from, '<null>') || '.'
  end as reason,
  t.tenant_id
  
from
  distinct_tenant as t,
  azuread_authorization_policy;

Tags

category = Compliance
cis = true
cis_item_id = 5.16
cis_level = 2
cis_section_id = 5
cis_type = automated
cis_version = v5.0.0
plugin = azure
service = Azure