CISA.MS.AAD.8.1 - Guest users SHOULD have limited or restricted access to Azure AD directory objects.
Overviewβ
Guest users SHOULD have limited or restricted access to Azure AD directory objects.
Rationale: Limiting the amount of object information available to guest users in the tenant, reduces malicious reconnaissance exposure, should a guest account become compromised or be created by an adversary.
Remediation actionβ
- In Entra ID and External Identities, select External collaboration settings.
- Under Guest user access, select either Guest users have limited access to properties and memberships of directory objects or Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).
- Click Save.
Related linksβ
- Entra admin center - External Identities | External collaboration settings
- CISA Guest User Access - MS.AAD.8.1v1
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.8.1 |
| Severity | Medium |
| Suite | CISA |
| Category | Entra ID Free |
| PowerShell test | Test-MtCisaGuestUserAccess |
| Tags | CISA, CISA.MS.AAD.8.1, Entra ID Free, MS.AAD, MS.AAD.8.1 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaGuestUserAccess.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaGuestUserAccess.ps1