SOLVED

Guest access process

%3CLINGO-SUB%20id%3D%22lingo-sub-2648257%22%20slang%3D%22en-US%22%3EGuest%20access%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2648257%22%20slang%3D%22en-US%22%3EHey%20guys%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20today%20a%20special%20question.%20We%20have%20of%20course%20mfa%20enabled%20for%20guest%20user%20access.%20Now%20we%20had%20a%20special%20case%3A%20a%20user%20added%20a%20guest%20to%20a%20project%20in%20teams.%20The%20guest%20user%20got%20a%20invitation%20-%20so%20far%20so%20good.%20Now%20the%20guest%20user%20mail%20account%20was%20hacked%20and%20a%20hacker%20has%20taken%20the%20invitation%20and%20added%20the%20MFA%20by%20themselves.%20Do%20you%20had%20a%20case%20like%20this%3F%20Any%20ideas%20how%20we%20can%20prevent%20something%20like%20this%3F%20Actually%20I%20was%20thinking%20about%20a%20process%20-%20but%20I%20also%20think%20that%E2%80%99s%20very%20complicated%20for%20the%20end%20user.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20thankful%20for%20all%20ideas!%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2648257%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBest%20Practices%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETips%20%26amp%3B%20Tricks%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2648562%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2648562%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F781529%22%20target%3D%22_blank%22%3E%40The365Guy%3C%2FA%3E%26nbsp%3BAs%20the%20intrusion%20and%20takeover%20of%20the%20account%20belongs%20to%20another%20org.%20it%20should%20be%20that%20org.%20taking%20security%20actions%20in%20their%20environment%20to%20prevent%20this%20from%20happening.%20As%20for%20the%20scenario%20you%20describing%20I%20would%20terminate%20the%20guest%20account%20asap.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fenterprise-users%2Fusers-revoke-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERevoke%20user%20access%20in%20an%20emergency%20in%20Azure%20Active%20Directory%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2648597%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2648597%22%20slang%3D%22en-US%22%3EI%20agree%20with%20you%20and%20we%20did%20this%20when%20we%20found%20out%20that%20this%20happened.%20I%20know%20this%20question%20is%20very%20special.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2648620%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2648620%22%20slang%3D%22en-US%22%3EOh%20and%20btw%2C%20you%20mentioned%20what%20you%20can%20do%20about%20it%20too.%20I%20suggest%2C%20if%20you%20have%20the%20proper%20license%20to%20have%20a%20closer%20look%20at%20Identity%20Protection%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Foverview-identity-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Foverview-identity-protection%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHighlighting%20this%20for%20ex.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIdentity%20Protection%20identifies%20risks%20of%20many%20types%2C%20including%3A%3CBR%20%2F%3E%3CBR%20%2F%3EAnonymous%20IP%20address%20use%3CBR%20%2F%3EAtypical%20travel%3CBR%20%2F%3EMalware%20linked%20IP%20address%3CBR%20%2F%3EUnfamiliar%20sign-in%20properties%3CBR%20%2F%3ELeaked%20credentials%3CBR%20%2F%3EPassword%20spray%3CBR%20%2F%3Eand%20more...%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Foverview-identity-protection%23risk-detection-and-remediation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Foverview-identity-protection%23risk-detection-and-remediation%3C%2FA%3E%3C%2FLINGO-BODY%3E
Contributor
Hey guys,

I have today a special question. We have of course mfa enabled for guest user access. Now we had a special case: a user added a guest to a project in teams. The guest user got a invitation - so far so good. Now the guest user mail account was hacked and a hacker has taken the invitation and added the MFA by themselves. Do you had a case like this? Any ideas how we can prevent something like this? Actually I was thinking about a process - but I also think that’s very complicated for the end user.

I am thankful for all ideas!
7 Replies

@The365Guy As the intrusion and takeover of the account belongs to another org. it should be that org. taking security actions in their environment to prevent this from happening. As for the scenario you describing I would terminate the guest account asap.

 

Revoke user access in an emergency in Azure Active Directory | Microsoft Docs

 

 

I agree with you and we did this when we found out that this happened. I know this question is very special.
best response confirmed by The365Guy (Contributor)
Solution
Oh and btw, you mentioned what you can do about it too. I suggest, if you have the proper license to have a closer look at Identity Protection https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protec...

Highlighting this for ex.

Identity Protection identifies risks of many types, including:

Anonymous IP address use
Atypical travel
Malware linked IP address
Unfamiliar sign-in properties
Leaked credentials
Password spray
and more...

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protec...
Oh that means identity protection can also protect guest accounts?! I didn’t know that! That was now really helpful! Thanks a lot :)
This is a great resource and very helpful. Thanks for the help :)
Glad to assist! Please consider any of the above posts for ”best response” as it will close the conversation and be of future reference (i.e. see there’s a solution). Cheers!