Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Guest Invite with High Privileges [RULE-1138]

This rule detects when an external user is invited to the tenant and simultaneously granted a role with high privileges. Unlike a standard guest addition followed by a separate role assignment, this detection specifically identifies invitations where administrative rights are included as part of the invite process itself.

Rationale

Inviting a guest user with high privileges in a single action is a particularly suspicious pattern. In normal organizational workflows, external collaborators are first invited with standard guest access and only later -- if ever -- assigned elevated permissions through a separate, approved process. Combining the invitation with a high privilege role assignment bypasses the typical review and approval steps.

This technique is commonly exploited by attackers who have compromised an administrator account. By sending a guest invitation that includes administrative privileges, the attacker creates an external backdoor account in a single operation. The external account is under the attacker's control and provides persistent access to the tenant even after the compromised administrator account is discovered and remediated. This aligns with MITRE ATT&CK T1136.003 (Create Account: Cloud Account) and T1098 (Account Manipulation), where adversaries create or manipulate accounts to establish persistence.

The risk is compounded because guest accounts are external to the organization's identity management processes. They may not be subject to the same password policies, MFA requirements, or monitoring as internal accounts. An external account with administrative privileges is therefore both harder to detect and harder to control than an internal administrative account.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify with the administrator who sent the invitation whether it was intentional and whether there is a documented business justification for granting high privileges to an external user as part of the invite.

    • If no: The invitation was not authorized and may indicate a compromised administrator account:

      1. Immediately remove the guest user from the high privilege role and revoke the guest invitation via the Entra admin center.
      2. Delete or block the guest account to prevent any further access to the tenant.
      3. Investigate the administrator account that sent the invitation: review sign-in logs, check for unfamiliar IP addresses or locations, revoke active sessions, and reset credentials.
      4. Review the Unified Audit Log at security.microsoft.com for any actions performed by the guest account between the time of invitation and removal. Contact Attic for incident response support if there is evidence of data access or additional unauthorized changes.

    • If yes: The invitation with high privileges was intentional:

      1. Verify that granting administrative privileges to an external user via an invite aligns with your organization's security policy. Best practice strongly discourages this pattern -- guest users should not receive administrative roles.
      2. If absolutely necessary, recommend migrating the role assignment to Privileged Identity Management (PIM) with time-limited access and approval requirements. If the assignment is acceptable and documented: close the incident.

More information