CISA.MS.AAD.8.3 - Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.
Overviewโ
Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.
Rationale: Limiting which domains can be invited to create guest accounts in the tenant helps reduce the risk of users from unauthorized external organizations getting access.
โ ๏ธ WARNING: This test utilizes a technical mechanism that differs from CISA's, though the outcome is the same.
Remediation action:โ
- In Entra admin center select External Identities and Cross-tenant access settings.
- Under Default settings, select Edit inbound defaults.
- Under B2B collaboration, and External users and groups, ensure Access status is set to Block access.
- Under B2B collaboration, and Applications, ensure Access status is set to Block access.
This configuration will only allow B2B collaboration with other Entra tenants.
Related linksโ
- Entra admin center - External Identities | Cross-tenant access settings
- CISA 8 Guest User Access - MS.AAD.8.3v1
- CISA ScubaGear Rego Reference
Test Metadataโ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.8.3 |
| Severity | Medium |
| Suite | CISA |
| Category | Entra ID Free |
| PowerShell test | Test-MtCisaCrossTenantInboundDefault |
| Tags | CISA, CISA.MS.AAD.8.3, Entra ID Free, MS.AAD, MS.AAD.8.3 |
Sourceโ
- Pester test:
tests/cisa/entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaCrossTenantInboundDefault.ps1