The guest user permissions dilemma

Occasional Contributor

Azure AD has allowed multiple controls for managing guest users to reduce their potential security risk but it also leaves some broken functionality here and there. For instance consider the following use case:

 

Company A has published an app that guest users from Company B can access. In order to delegate management, a new group was created where a guest user from Company B is made an owner of. This user (lets say John) can decide based on group membership who of his colleagues from Company B can access this app.

 

Case 1: 

  • Tenant setting: "Guest user access: Guest users have limited access to properties and memberships of directory objects"
  • john goes to myapps.microsoft.com, switches to the Company A organization and opens the "My Groups" panel
  • John opens the group which he is owner and sees its members
  • When adding a new member using the "+" icon, the page breaks and throws an error as soon as text input is inserted (which is not good because john cannot do his job)
  • The "+Join group" shows an error page so john cannot enumerate groups on the tenant (which is good security wise)

Case 2:

  • Tenant setting: "Guest user access: Guest users have the same access as members (most inclusive)"
  • John repeats the steps from Case 1
  • Everything works as expected
  • However John (and all guests for that matter) now can access the "+Join group" button allowing enumeration of all groups and their members of company A
  • Additionally John can also delete the group he is owner of however this is more due to the fact that a group owner also has delete permissions. (But I read somewhere that granular permissions are in the works that can remove delete permissions from an owner.)

It seems there is a problem between having too little or too much permissions for a guest user which either prevents productivity or exposes security risks.

 

What would be the best way to solve for this scenario?

 

3 Replies

@brlgen Is there any latest updates on this question? I am facing similar issues with Guest accounts. 

As far as I know nothing has changed so far.

@brlgen thank you for responding, this is what I am also observing.