Skip to content
Nuclei Templates

Azure Entra ID Guest Users Unmonitored

ID: azure-entra-id-guest-users-unmonitored

Severity: medium

Author: princechaddha

Tags: cloud,devops,azure,microsoft,entra-id,azure-cloud-config

Description

Section titled “Description”

For a Microsoft Azure business-to-business (B2B) collaboration, each Microsoft Entra ID guest user needs to be associated with a business owner or business process. Ensure that there are no unassociated Microsoft Entra ID guest users within your Microsoft Azure account when there is no need for B2B collaboration.

YAML Source

Section titled “YAML Source”
id: azure-entra-id-guest-users-unmonitored
info:
  name: Azure Entra ID Guest Users Unmonitored
  author: princechaddha
  severity: medium
  description: |
    For a Microsoft Azure business-to-business (B2B) collaboration, each Microsoft Entra ID guest user needs to be associated with a business owner or business process. Ensure that there are no unassociated Microsoft Entra ID guest users within your Microsoft Azure account when there is no need for B2B collaboration.
  impact: |
    Presence of unmonitored Microsoft Entra ID guest users can lead to unauthorized access and potential security risks within the Azure environment.
  remediation: |
    Regularly review and monitor guest users in Microsoft Entra ID to ensure each is associated with a business owner or process. Remove any unnecessary guest user accounts.
  reference:
    - https://docs.microsoft.com/en-us/azure/active-directory/external-identities/
  tags: cloud,devops,azure,microsoft,entra-id,azure-cloud-config


self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az ad user list --query "[?userType=='Guest']" --output json


    matchers:
      - type: word
        words:
          - '"userType": "Guest"'


    extractors:
      - type: dsl
        dsl:
          - '"Azure Account han an Entra ID guest user Microsoft Entra ID"'
# digest: 490a0046304402201deaeaf272ddbd2c7c056f375dcdd2059e8af91f678849051caa58dc9f46dd9102204007bf0d7302173e6b864e8fe89cf834e2a53d6d640d1fab3af5c154cd7bee5a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/azure/activedirectory/azure-entra-id-guest-users-unmonitored.yaml"

View on Github