Uncover the Hidden Risks in Your Entra Environment

Global
Uncover the Hidden Risks in Your Entra Environment

Published:

Written by: Staff Editor
spot_img

Understanding Guest Account Risks in Microsoft Entra ID

When organizations invite guest users to their Microsoft Entra ID tenant, they may be unintentionally exposing themselves to significant security vulnerabilities. A particular concern revolves around a gap in access control within Microsoft Entra’s subscription management, allowing these guest users to create and transfer subscriptions into the tenant while retaining full ownership. This stealthy maneuver poses a real challenge to security teams that may not adequately address the associated risks.

Contents
Understanding Guest Account Risks in Microsoft Entra IDThe Mechanics of Guest User AccessHow Guest Subscription Creation WorksUnderstanding Permission SetupsThe Invitation ProcessThe Steps to Elevated AccessReal Risks of Guest-created SubscriptionsHeightened Security ConcernsMitigating the RisksAddressing Identity MisconfigurationsAbout the Author

The Mechanics of Guest User Access

To exploit this vulnerability, a guest user requires two things: the permissions to create subscriptions in their home tenant and an invitation to join an external tenant as a guest. Once invited, the guest can seamlessly create subscriptions in their original tenant and transfer them into the new environment, maintaining complete control over these subscriptions. This tactic effectively enables a guest user to gain privileged access within a tenant, despite being initially granted limited permissions.

Many organizations tend to underestimate the risks associated with guest accounts, viewing them as low-risk due to their temporary nature. However, this assumption can lead to lapses in security that could facilitate unauthorized lateral movement within the resource tenant, potentially allowing malicious actors to gather information and persist in the environment.

How Guest Subscription Creation Works

Understanding Permission Setups

The exploit hinges on how Microsoft structures its billing permissions. Typically, permissions are classified as either Entra Directory Roles or Azure Role-Based Access Control (RBAC) Roles, concentrating on user identity and resource access management. However, a significant area often overlooked is the billing role, which operates at the billing account level and lies outside the standard Azure authentication and authorization framework.

An individual with a billing role can create or transfer subscriptions from their home tenant into a target tenant. If a security team only audits Entra Directory roles, they may miss subscriptions created by guest users, thus failing to identify potential security threats.

The Invitation Process

Once a guest user receives an invitation to a resource tenant, they access it through federation from their original tenant. This federation method, although efficient for cost-saving, diminishes security controls like multi-factor authentication. Consequently, guests, often seen as less secure, can escalate privileges if they hold billing roles in their home tenant.

The Steps to Elevated Access

An attacker can use a guest account to gain elevated access through a series of steps:

  1. Compromising a user with a billing role or creating their own Azure free trial account to establish a billing account.
  2. Getting invited as a guest user to a targeted Entra tenant.
  3. Accessing the Azure Portal and creating a subscription without it appearing in the attacker’s tenant but instead in the target tenant.
  4. Automatically receiving RBAC Owner permissions for the newly created subscription.

Real Risks of Guest-created Subscriptions

Once an attacker has established a subscription as an Owner within another organization’s environment, their range of capabilities expands dramatically. Actions that would typically be restricted for a guest user suddenly become viable:

  • Visibility into Privileged Accounts: Despite typical guest restrictions, the subscription owner can now view administrative roles within the tenant, which may expose high-value targets for future attacks.

  • Modifying Security Policies: By obtaining write permissions on Azure policies tied to their subscription, the attacker can modify or disable essential security alerts, making their actions less detectable.

  • Creating User-Managed Identities: Guest users with Owner permissions can create identities linked to Azure workloads, facilitating broader access and enabling phishing attacks against legitimate administrators.

  • Exploiting Device Policies: Azure allows registration of devices under the hijacked subscription, potentially allowing dynamic groups to assign unauthorized permissions based on device compliance status.

Heightened Security Concerns

This risk of guest subscription creation is not merely a theoretical issue. Observations indicate that attackers actively exploit these vulnerabilities to create and control subscriptions, leading to privilege escalation that often goes unnoticed. Conventional Azure security practices typically do not account for these threats, creating an unrecognized and accessible route to privilege escalation.

Moreover, this issue is particularly pronounced in B2B scenarios where guest users from different organizations interact. Many organizations utilizing Entra ID B2B features remain unaware of the inherent risks and paths to privilege that guest accounts can unwittingly introduce.

Mitigating the Risks

To safeguard against the risks associated with guest-created subscriptions, Microsoft provides organizations with the ability to configure Subscription Policies that restrict guest users from transferring subscriptions into their tenant. This essential measure limits subscription creation to approved users only.

Additionally, organizations can take several proactive steps:

  1. Regular Audits: Conduct an audit of guest accounts and eliminate those that are no longer necessary.
  2. Enhancing Guest Controls: Implement tighter restrictions on guest invitations, particularly between guests.
  3. Subscription Monitoring: Regularly review subscriptions in the tenant to spot any unexpected guest-created resources.
  4. Alert Monitoring: Keep an eye on all relevant alerts in the Azure Security Center, even when visibility may vary.
  5. Device Access Audits: Pay close attention to device access, particularly rules utilizing dynamic group assignments.

To facilitate these efforts, products like BeyondTrust Identity Security Insights offer built-in detections that flag subscriptions created by guest accounts, helping to provide visibility into unusual activities.

Addressing Identity Misconfigurations

The risks associated with guest-made subscriptions illustrate the broader issue of identity misconfigurations. It is essential for organizations to reassess their security policies concerning guest users, dynamic permissions, and subscription governance. The modern enterprise environment cannot afford to overlook these vulnerabilities, as each guest account presents a potential attack vector for privilege escalation.

For organizations seeking to get a clearer picture of potential identity-based risks—including those from guest access—BeyondTrust also offers a no-cost Identity Security Risk Assessment, helping them to identify and address these critical security weaknesses.

About the Author

This article is authored by Simon Maxwell-Stewart, a Senior Security Researcher at BeyondTrust. With a strong background in data science and security research, Simon leverages his expertise to drive innovation in identity security, particularly focusing on the nuanced risks surrounding guest access in enterprise environments.

spot_img

Related articles

Recent articles

Thai Police Capture German National for Selling CSAM on Dark Web Following HSI Tip

Dark Watch
Arrest in Thailand: German National Charged with Operating Dark Web Child Exploitation Site Overview of the Arrest In a significant move against online child exploitation, Thai...
Read more

Nokia and Verizon Partner to Deliver 5G in UK Free Trade Zones

Knowledge Hub
Revolutionizing Logistics: The Game-Changing Partnership of Nokia and Verizon A Bold Move into the Future In a transformative step towards modernizing logistics and manufacturing, Verizon Business...
Read more

BreachForums Making a Comeback in Days!

Global
BreachForums Planning a Comeback Amid Ongoing Legal Struggles BreachForums, a notorious online hub for hackers, is gearing up for a revival despite recent law enforcement...
Read more

Limited-Time Maternity and Baby Essentials Flash Sales!

Regional
Momcozy Unveils Exciting Prime Day Sale Introduction to the Sale In an exciting announcement for parents and caregivers, Momcozy, a globally recognized maternity and baby care...
Read more
Sign up to the Newsletter and never miss out on the latest news!
Join the Cyber Warriors community and get Insider Tips & Tricks to defend your digital assets.

© Cyberwarriorsmiddleeast.com