CISA.MS.AAD.8.2 - Only users with the Guest Inviter role SHOULD be able to invite guest users.
Overview
Only users with the Guest Inviter role SHOULD be able to invite guest users.
Rationale: By only allowing an authorized group of individuals to invite external users to create accounts in the tenant, an agency can enforce a guest user account approval process, reducing the risk of unauthorized account creation.
Remediation action:
-
In Entra ID and External Identities, select External collaboration settings.
-
Under Guest invite settings, select Only users assigned to specific admin roles can invite guest users or No one in the organization can invite guest users including admins (most restrictive).
-
Click Save.
Related links
- Entra admin center - External Identities | External collaboration settings
- CISA Guest User Access - MS.AAD.8.2v1
- CISA ScubaGear Rego Reference
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.8.2 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID Free |
| PowerShell test | Test-MtCisaGuestInvitation |
| Tags | CISA, CISA.MS.AAD.8.2, Entra ID Free, MS.AAD, MS.AAD.8.2 |
Source
- Pester test:
tests/cisa/entra/Test-MtCisaGuestInvitation.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaGuestInvitation.ps1