In a recent post by Daniel Chronlund, he explains one issue that needs addressing in any organization. During security assessments, I perform I bring this up, and I am surprised how many organizations did not know this was a problem.
The short version is that internal and external users (guests) can enumerate the Azure Active Directory, including objects such as groups. It is by design and is a setting within Azure Active Directory. You can view your current setting here:
https://portal.azure.com/#blade/Microsoft_AAD_IAM/AllowlistPolicyBlade
The Microsoft documentation explains the three options and the associated permissions.
- Same as member users: Guest users have the same access as members (most inclusive).
- Limited access (default): Guest users have limited access to properties and memberships of directory objects.
- Restricted access: Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).
The essential value required for updating the configuration with scripting is the unique identifiers representing each option.
- Same as member users: a0b1b346-4d3e-4e8b-98f8-753987be4970
- Limited access: 10dae51f-b6af-4016-8d66-8c2a99b929b3
- Restricted access: 2af84b1e-32c8-42b7-82bc-daa82404023b
The key to note is when guest access is restricted, guests can view only their user profile. Permission to view other users isn’t allowed even if the guest is searching by specific User Principal Name or objectIds. Restricted access restricts guest users from viewing the membership of groups they belong to.
Modify using the Azure Portal
Navigate to https://portal.azure.com/#blade/Microsoft_AAD_IAM/AllowlistPolicyBlade
Within the “Guest user access” section, select the chosen option
The recommendation is to choose “Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).”
Modify using the Microsoft Graph
You can use either Graph Explorer or PowerShell to perform the update when using direct Microsoft Graph calls. Either way, the URL for checking the current value is the same.
https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
To retrieve the value or perform updates, you need to ensure you have the “Policy.Read.All” and “Policy.ReadWrite.Authorization” permissions. Within the Graph Explorer tool, paste the URL and click “Run query.”
If prompted, perform the consent for the two missing permissions.
In the results, you will see a field called “guestUserRoleId” which contains the unique identifier that matches a value for one of the selected permissions.
The current value displayed above is the default option “Guest users have limited access to properties and memberships of directory objects.”
To change this, first, update the method drop-down to “PATCH.“
Leave the URL the same.
Update the “Request body” values to the following:
{
"guestUserRoleId": "2af84b1e-32c8-42b7-82bc-daa82404023b"
}
Click “Run query“
To check the updated value, execute the “GET” command with no “Request body.” The results should reflect the new unique identifier.
Modify using the Graph PowerShell SDK
The Graph PowerShell provides two ways of adjusting this value. The first is to call the direct Graph URL using “Invoke-MgGraphRequest.” The second is to use the “Update-MgPolicyAuthorizationPolicy” command.
Using the “Invoke-MgGraphRequest” Cmdlet
First, you need to connect to the Tenant using the required permission scopes.
$scopes = @(
"Policy.Read.All",
"Policy.ReadWrite.Authorization"
)
Connect-MgGraph -Scopes $scopes
You can then check the current value of the property using this command.
$url = "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy"
$body = @{}
Invoke-MgGraphRequest `
-Uri $url `
-Method GET `
-Body $body
Next, you construct the required “URL,” “Method Type,” and “Request Body” with the selected unique identifier.
$url = "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy"
$body = @{
"guestUserRoleId" = "10dae51f-b6af-4016-8d66-8c2a99b929b3"
}
Lastly, you execute the entire command.
Invoke-MgGraphRequest `
-Uri $url `
-Method PATCH `
-Body $body
To check the updated value, execute the following commands. The results should reflect the new unique identifier.
$url = "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy"
$body = @{}
Invoke-MgGraphRequest `
-Uri $url `
-Method GET `
-Body $body
Using the “Update-MgPolicyAuthorizationPolicy” Cmdlet
The Graph PowerShell contains commands, so you do not need to construct direct Microsoft Graph calls. To first check the current value of the required property, you execute this command.
Get-MgPolicyAuthorizationPolicy | Format-List
Next, you need to choose the required permission unique identifier to use. Once selected, you execute the “Update-MgPolicyAuthorizationPolicy” command with the necessary permission.
$roleid = "10dae51f-b6af-4016-8d66-8c2a99b929b3"
Update-MgPolicyAuthorizationPolicy -GuestUserRoleId $roleid
To check the updated value, execute the following commands. The results should reflect the new unique identifier.
Get-MgPolicyAuthorizationPolicy | Select-Object GuestUserRoleId
As you can see, there are always multiple ways of performing the same task within Microsoft 365 using native PowerShell, the Microsoft Graph, or the updated Graph PowerShell commands.
You must log in to post a comment.