Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Guest Added to High Privilege Role [RULE-1123]

This rule detects when an external (guest) user is added to a role with high privileges in Microsoft Entra ID. High privilege roles include Global Administrator, Exchange Administrator, SharePoint Administrator, Security Administrator, and other roles that grant broad administrative access across the tenant.

Rationale

Guest accounts in Microsoft Entra ID are intended for limited collaboration with external partners, vendors, or contractors. When a guest account is assigned to a high privilege role, it gains administrative control over tenant resources -- a configuration that should be extremely rare and carefully governed.

Attackers who have compromised an administrator account frequently add external accounts to privileged roles as a persistence mechanism. By granting high privileges to a guest account they control, the attacker maintains access to the tenant even if the originally compromised account is discovered and remediated. This technique aligns with MITRE ATT&CK T1098 (Account Manipulation) and T1078 (Valid Accounts), where adversaries modify account permissions or use valid credentials to maintain access.

Because guest accounts are often subject to less scrutiny than internal accounts, this form of privilege escalation can go undetected for extended periods. Detecting this activity promptly is critical to preventing unauthorized administrative access and potential data exfiltration.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify with the administrator listed in the alert whether they intentionally added the guest user to the high privilege role. Cross-reference the timing of the role assignment with known change requests or projects.

    • If no: The role assignment was not authorized and may indicate a compromised administrator account:

      1. Immediately remove the guest user from the high privilege role via the Entra admin center under Roles and administrators.
      2. Disable or block the guest account to prevent further access.
      3. Investigate the administrator account that performed the assignment: review sign-in logs for suspicious activity, revoke active sessions, and reset credentials.
      4. Review the Unified Audit Log at security.microsoft.com for any additional actions performed by the guest account or the compromised administrator. Contact Attic for incident response support if the scope of compromise is unclear.

    • If yes: The role assignment was intentional:

      1. Verify that assigning high privileges to a guest account aligns with your organization's security policy. Best practice is to avoid granting administrative roles to external users.
      2. If the assignment is acceptable and documented: close the incident. Consider implementing time-limited role assignments via Privileged Identity Management (PIM) for future cases.

More information