More Info:

Avoid creating guest users, as they are typically added outside your employee on-boarding/off-boarding process and could potentially be overlooked indefinitely leading to a potential vulnerability.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Remediation

Using Console

The presence of guest users in an Azure Active Directory (AD) can pose a security risk. Here are the steps to remediate the issue of guest users in use in Azure:

  1. Sign in to the Azure portal using your administrator credentials.
  2. In the left-hand menu, click on “Azure Active Directory”.
  3. Under “Manage”, select “Users”.
  4. On the “Users” page, click on the “Guest users” tab.
  5. Review the list of guest users to determine which ones need to be removed.
  6. Select the guest user that you want to remove by clicking on the checkbox next to their name.
  7. Click on the “Remove” button at the top of the screen.
  8. Confirm that you want to remove the guest user by clicking “Yes” in the confirmation dialog box.

Repeat steps 6-8 for each guest user that you want to remove.

Note: Before removing a guest user, make sure that they no longer require access to any resources in your Azure environment.

Using CLI

The “Guest Users in Use” misconfiguration in Azure refers to the presence of external users who have access to your Azure Active Directory tenant. To remediate this misconfiguration, you can follow the below steps using Azure CLI:

  1. Run the following command to list all the external/guest users in your Azure Active Directory tenant:

    az ad user list --query "[?userType=='Guest']"

  2. Identify the guest users that should not have access to your Azure resources.

  3. Run the following command to remove a guest user:

    az ad user delete --id <guest-user-object-id>

    Replace <guest-user-object-id> with the object ID of the guest user you want to remove.

  4. Repeat step 3 for all the guest users that should not have access to your Azure resources.

  5. After removing the guest users, you can also disable external sharing for your Azure Active Directory tenant by running the following command:

    az ad domaingroup update --id <object-id-of-the-external-users-group> --set "securityEnabled=true"

    Replace <object-id-of-the-external-users-group> with the object ID of the group that contains all the external users in your Azure Active Directory tenant.

By following these steps, you can remediate the “Guest Users in Use” misconfiguration in Azure using Azure CLI.

Using Python

The misconfiguration “Guest Users In Use” occurs when guest users are granted access to Azure resources. To remediate this issue, we can use the Azure Python SDK to write a script that will identify the guest users and remove their access.

Here are the steps to remediate “Guest Users In Use” for Azure using Python:

  1. Install the Azure Python SDK by running the command pip install azure-mgmt-resource.

  2. Authenticate with Azure using your Azure account credentials. You can do this by using the ServicePrincipalCredentials class from the Azure Python SDK. Here’s an example:

from azure.common.credentials import ServicePrincipalCredentials

TENANT_ID = '<your tenant id>'
CLIENT_ID = '<your client id>'
CLIENT_SECRET = '<your client secret>'

credentials = ServicePrincipalCredentials(
    client_id=CLIENT_ID,
    secret=CLIENT_SECRET,
    tenant=TENANT_ID
)
  1. Use the Azure Python SDK to list all the guest users in your Azure AD tenant. You can do this by using the GraphRbacManagementClient class from the Azure Python SDK. Here’s an example:
from azure.graphrbac import GraphRbacManagementClient
from azure.graphrbac.models import UserFilter

graph_client = GraphRbacManagementClient(credentials, TENANT_ID)

guest_users = graph_client.users.list(filter="userType eq 'Guest'")
for guest_user in guest_users:
    print(guest_user.userPrincipalName)
  1. Use the Azure Python SDK to remove the guest users’ access to Azure resources. You can do this by using the RoleAssignmentsOperations class from the Azure Python SDK. Here’s an example:
from azure.mgmt.authorization import AuthorizationManagementClient

authorization_client = AuthorizationManagementClient(credentials, subscription_id)

for guest_user in guest_users:
    role_assignments = authorization_client.role_assignments.list_for_principal(
        guest_user.object_id,
        filter="atScope()",
        expand="roleDefinition"
    )
    for role_assignment in role_assignments:
        authorization_client.role_assignments.delete(
            role_assignment.scope,
            role_assignment.name
        )

This script will remove the guest users’ access to all Azure resources in your subscription. You can schedule this script to run periodically to ensure that guest users do not have access to your Azure resources.