Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 1.5 Ensure Guest Users Are Reviewed on a Regular Basis

Description

Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data.

Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user.

Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Azure Active Directory
  3. Select Users
  4. Click on Add filter
  5. Select User type
  6. Select Guest from the Value drop down
  7. Click Apply
  8. Delete all Guest users that are no longer required or are inactive

From Azure CLI

Before deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems.

az ad user update --id <exampleaccountid@domain.com> --account-enabled {false}

After determining that there are no dependent systems delete the user.

Remove-AzureADUser -ObjectId <exampleaccountid@domain.com>

From Azure PowerShell

Before deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems.

Set-AzureADUser -ObjectId "<exampleaccountid@domain.com>" -AccountEnabled false

After determining that there are no dependent systems delete the user.

PS C:\>Remove-AzureADUser -ObjectId <exampleaccountid@domain.com>

Default Value

By default no guest users are created.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v200_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v200_1_5 --share

SQL

This control uses a named query:

with distinct_tenant as (
  select
    distinct tenant_id,
    subscription_id,
    _ctx
  from
    azure_tenant
)
select
  u.display_name as resource,
  case
    when not account_enabled then 'alarm'
    when u.created_date_time::timestamp <= (current_date - interval '30' day) then 'alarm'
    else 'ok'
  end as status,
  case
    when not account_enabled then 'Guest user ''' || u.display_name || ''' inactive.'
    else 'Guest user ''' || u.display_name || ''' was created ' || extract(day from current_timestamp - u.created_date_time::timestamp) || ' days ago.'
  end as reason,
  t.tenant_id
  
from
  azuread_user as u
  left join distinct_tenant as t on t.tenant_id = u.tenant_id
where
  u.user_type = 'Guest';

Tags

category = Compliance
cis = true
cis_item_id = 1.5
cis_level = 1
cis_section_id = 1
cis_type = manual
cis_version = v2.0.0
plugin = azure
service = Azure/ActiveDirectory