Authorization policy restricts guest user access to properties and memberships of their own directory objects
entra_policy_guest_users_access_restrictions
Microsoft Entra authorization policy evaluates guest user access restrictions being set to the most restrictive level, where guests can view only their own directory object and related memberships (Guest user access is restricted to properties and memberships of their own directory objects).
Risk
Without this restriction, guests can read broader directory metadata and group memberships, enabling reconnaissance that harms confidentiality. A compromised guest gains context for phishing and privilege escalation, risking unauthorized changes (integrity) and disruption of collaboration spaces (availability).
prowler m365 --checks entra_policy_guest_users_access_restrictions
Recommendation
Set guest access to the most restrictive level (Guest user access is restricted...) to enforce least privilege.
- Avoid assigning admin roles to guests
- Use time-bound access with approvals
- Apply Conditional Access and limit group visibility
- Run periodic access reviews for defense in depth
Remediation
Update-MgPolicyAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'
- Sign in to Microsoft Entra admin center (https://entra.microsoft.com)
- Go to Identity > External Identities > External collaboration settings
- Under Guest user access, select: "Guest user access is restricted to properties and memberships of their own directory objects"
- Click Save
Source Code
Resource Type
NotDefined
References
- https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#member-and-guest-users
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/azure/ActiveDirectory/restrict-guest-user-access.html
- https://learn.microsoft.com/en-us/entra/identity/users/users-restrict-guest-permissions