Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Query: ad_authorization_policy_guest_user_access_restricted

Usage

powerpipe query azure_compliance.query.ad_authorization_policy_guest_user_access_restricted

Steampipe Tables

azure_tenant
azuread_authorization_policy
Azure plugin
azure_tenant
azuread_authorization_policy
Azure Active Directory plugin

SQL

 with distinct_tenant as (
  select
    distinct tenant_id,
    display_name,
    subscription_id,
    _ctx
  from
    azure_tenant
)
select
  id as resource,
  case
    when guest_user_role_id = '2af84b1e-32c8-42b7-82bc-daa82404023b' then 'ok'
    else 'alarm'
  end as status,
  case
    when guest_user_role_id = '2af84b1e-32c8-42b7-82bc-daa82404023b' then  t.display_name || ' guest user access is restricted to properties and memberships of their own directory objects.'
    else t.display_name || ' guest user access is not at most restrictive; guest_user_role_id=' || coalesce(guest_user_role_id, '<null>') || '.'
  end as reason,
  t.tenant_id
  
from
  distinct_tenant as t,
  azuread_authorization_policy;

Controls

The query is being used by the following controls: