Tenant guest invitations are restricted to specific admin roles or disabled
entra_policy_guest_invite_only_for_admin_roles
Microsoft Entra authorization policy controls guest invitations via guest_invite_settings. It should be adminsAndGuestInviters or none, so only specific administrative roles can invite guests-or invitations are disabled.
Risk
Unrestricted invites allow broad creation of external identities. A compromised user can onboard attacker-controlled guests, gaining ongoing access to teams, sites, and apps. This erodes confidentiality, enables privilege abuse, and complicates revocation and audit.
prowler m365 --checks entra_policy_guest_invite_only_for_admin_roles
Recommendation
Apply least privilege: restrict invites to the Guest Inviter or designated admin roles (adminsAndGuestInviters), or disable invites (none).
- Require approval and justification
- Allowlist partner domains and use access reviews
- Combine with Conditional Access and cross-tenant policies for defense in depth
Remediation
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId authorizationPolicy -AllowInvitesFrom adminsAndGuestInviters
- Sign in to the Microsoft Entra admin center (https://entra.microsoft.com)
- Go to Entra ID > External Identities > External collaboration settings
- Under Guest invite settings, select "Only users assigned to specific admin roles can invite guest users" (or select "No one in the organization can invite guest users" to disable)
- Click Save
Source Code
Resource Type
NotDefined
References
- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#guest-inviter
- https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure
- https://learn.microsoft.com/nb-no/Azure/active-directory/external-identities/external-collaboration-settings-configure
- https://learn.microsoft.com/en-us/microsoft-365/solutions/limit-who-can-invite-guests?view=o365-worldwide