Restricting Guest User Access [CHK-1151]
This check verifies if guest users in a Microsoft environment have their access sufficiently restricted.
Rationale
Guest users from outside the organization can be invited to hold meetings, share data, or collaborate. As these users are typically less connected to the organization, it's crucial to limit their authorizations. By adjusting the Guest User Access, guest users only gain access to their own data, ensuring they only have access to data they've been explicitly granted.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to Entra ID portal at https://entra.microsoft.com
- Go to Users > User settings
- Under "Guest user access", select "Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)"
- Click "Save"
Impact
The check has two possible outcomes:
- Okay: guest users are sufficiently restricted
- Warning: guest users are insufficiently restricted
If the check results in a warning, further restricting the authorizations of guest users is advised.
More Information
For more details, visit Microsoft's guide on restricting guest permissions.