Control: 5.15 Ensure Guest Users are reviewed at least biweekly
Description
Guest users can be set up for those users not in your tenant to still be granted access to resources. It is important to maintain visibility for what guest users are established in the tenant.
Periodic review of guest users ensures proper access to resources in your tenant.
Remediation
To view guest users, use the Microsoft 365 Admin Center:
- Log in as an
administrator. - Navigate to the
UsersandGuest Users. - Review the list of users.
To verify Microsoft 365 audit log search is enabled, use the Microsoft Online PowerShell Module:
- Run Microsoft Online PowerShell Module.
- Connect using
Connect-MSOnline. - Run the following PowerShell command:
Get-MsolUser -all | Where-Object {$_.UserType -ne "Member"} | Select-Object UserPrincipalName, UserType, CreatedDate
- Review the list of users.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v140_5_15Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v140_5_15 --shareSQL
This control uses a named query:
select id as resource, case when user_type = 'Guest' then 'info' else 'skip' end as status, case when user_type = 'Guest' then display_name || ' is guest user.' else display_name || ' is ' || user_type || ' user.' end as reason , tenant_id as tenant_idfrom azuread_user;