General
This check identifies dynamic groups with membership rules based on user-controllable attributes when guest invitations are enabled in your tenant. This could potentially allow a user to invite a guest in the invite they can manipulate the guests profile data to automatically become members of specific groups.
Rationale
Dynamic groups in Entra ID use rule-based membership to automatically add users based on their attributes. When a membership rule checks attributes like displayName, userPrincipalName, MailNickName, Email a potential security risk emerges if guest invitations are allowed in your tenant.
When inviting a guest account, certain profile attributes can be set by the person sending the invitation. An attacker who receives an invitation (or can send one themselves if guest invitations are broadly allowed) can strategically fill in these attributes to match the membership rules of dynamic groups. Once the guest becomes a member of such a group, they automatically inherit all permissions, access to resources, and applications linked to that group.
This scenario is particularly risky when dynamic groups have access to sensitive SharePoint sites, applications with elevated privileges, or resources containing confidential business information. An attacker can achieve privilege escalation without requiring direct admin action, simply by leveraging the automatic group membership functionality.
Manual instruction
For each identified dynamic group, perform the following assessment:
- Check group permissions: Navigate to Entra admin center → Groups → select the relevant group. Review under "Assigned roles", "Group memberships", and "Applications" what access this group has to resources, applications, and admin roles.
- Assess the risk: Determine whether the group has access to sensitive information or elevated permissions. If the group only provides access to non-critical resources, the risk may be acceptable for your organization.
-
Choose a mitigation strategy (if necessary):
- Option 1 - Modify the membership rule: Adjust the dynamic membership rule to use attributes that cannot be influenced by guests, such as employeeId, onPremisesSamAccountName, or specific group memberships.
- Option 2 - Restrict guest invitations: Navigate to Entra admin center → External Identities → External collaboration settings, and change "Guest invite settings" to "Only users assigned to specific admin roles can invite guest users".
- Option 3 - Remove group permissions: If the group no longer serves a specific function, remove access to sensitive resources or applications.
- Option 4 - Accept the risk: Document the decision if the group doesn't have access to critical resources and the risk is acceptable.
- Review existing guest members: Check the current members of the dynamic group and verify whether there are guest accounts that may have unintentionally gained access through this route.
Comments
0 comments
Please sign in to leave a comment.