Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Dynamic Group Vulnerability Analysis and Fix [CHK-1177]

This article identifies dynamic groups with membership rules based on user-controllable attributes when guest invites are enabled, which could potentially allow unauthorized group access.

Rationale

Dynamic groups that rely on user-controllable attributes can pose a security risk, as they may provide unauthorized access to sensitive resources, applications, or permissions.

Dynamic groups in Entra ID use rule-based membership to automatically add users based on their attributes. When a membership rule checks attributes like displayName, userPrincipalName, MailNickName, Email a potential security risk emerges if guest invitations are allowed in your tenant.

When inviting a guest account, certain profile attributes can be set by the person sending the invitation. An attacker who receives an invitation (or can send one themselves if guest invitations are broadly allowed) can strategically fill in these attributes to match the membership rules of dynamic groups. Once the guest becomes a member of such a group, they automatically inherit all permissions, access to resources, and applications linked to that group.

Fix

Manual steps:

  1. Navigate to Microsoft Entra admin center at https://entra.microsoft.com.
  2. Select Groups then Dynamic groups.
  3. Review the dynamic group(s) with membership rules that rely on user-controllable attributes.
  4. Click on "Edit".
  5. Determine what access these groups provide. Check if they have access to sensitive resources, applications, or permissions.
  6. Assess whether the potential for guest access aligns with your security policies.
  7. If the groups only provide access to non-sensitive resources, this may be acceptable for your organization.
  8. Consider modifying the membership rules to use attributes that guests cannot control (e.g., employee ID, manager relationships, or specific group memberships).
  9. If needed, you can restrict who can invite guests in your Azure AD settings.
  10. Click "Save".

Impact

The fix will ensure that dynamic groups are configured in a way that aligns with your security policies, preventing unauthorized access to sensitive resources.

More Information

For more information on (over)sharing, group access and other M365 resources, consider checking out the M365Permissions tool https://www.m365permissions.com/#/