Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Description

Limit guest user permissions.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.ad_authorization_policy_guest_user_access_restricted

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.ad_authorization_policy_guest_user_access_restricted --share

SQL

This control uses a named query:

 with distinct_tenant as (
  select
    distinct tenant_id,
    display_name,
    subscription_id,
    _ctx
  from
    azure_tenant
)
select
  id as resource,
  case
    when guest_user_role_id = '2af84b1e-32c8-42b7-82bc-daa82404023b' then 'ok'
    else 'alarm'
  end as status,
  case
    when guest_user_role_id = '2af84b1e-32c8-42b7-82bc-daa82404023b' then  t.display_name || ' guest user access is restricted to properties and memberships of their own directory objects.'
    else t.display_name || ' guest user access is not at most restrictive; guest_user_role_id=' || coalesce(guest_user_role_id, '<null>') || '.'
  end as reason,
  t.tenant_id
  
from
  distinct_tenant as t,
  azuread_authorization_policy;

Tags

service = Azure/ActiveDirectory