Guest accounts get flagged as a threat in Identity & Access

%3CLINGO-SUB%20id%3D%22lingo-sub-1170878%22%20slang%3D%22en-US%22%3EGuest%20accounts%20get%20flagged%20as%20a%20threat%20in%20Identity%20%26amp%3B%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1170878%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20question%20today%20is%20based%20around%20a%20threat%20I%20reviewed%20in%20a%20clients%20security%20center%20for%20Identity%20and%20Access%20(see%20screenshot%20below).%20FYI%20-%20I%20have%20asked%20this%20question%20in%20msdn%20forum%2C%20but%20havnt%20got%20any%20feedback%20%3CA%20href%3D%22https%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fen-US%2F5a9dedc4-2ace-40b8-a624-da9bdcf4b215%2Fguest-accounts-get-flagged-as-a-threat-in-identity-amp-access%3Fforum%3DAzureSecurityCenter%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fen-US%2F5a9dedc4-2ace-40b8-a624-da9bdcf4b215%2Fguest-accounts-get-flagged-as-a-threat-in-identity-amp-access%3Fforum%3DAzureSecurityCenter%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22guest%20access%20threat.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F171005iE86BC607DB9CCD7D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22guest%20access%20threat.PNG%22%20alt%3D%22guest%20access%20threat.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20error%20is%20coming%20up%20for%20my%20account.%20As%20we%20are%20a%20service%20provider%20to%20our%20clients%20for%20Azure%20cloud%20solutions%20(build%20environments%20etc.)%2C%20we%20get%20our%20clients%20to%20add%20our%20Microsoft%20accounts%20as%20a%20guest%20account%20to%20the%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20not%20the%20best%20way%20to%20gain%20access%20to%20a%20clients%20environment%3F%20All%20our%20accounts%20are%20MFA%20etc.%20Also%2C%20is%20states%20this%20prevents%20%22unmonitored%20access%22%20what%20does%20that%20even%20mean%3F%20Everything%20I%20do%20is%20logged%20in%20the%20activity%20monitor%2C%20as%20far%20as%20I%20see%2C%20my%20guest%20account%20is%20locked%20down%20to%20the%20same%20level%20as%20any%20other%20account%20in%20the%20clients%20AD%3F%3C%2FP%3E%3CP%3EWe%20also%20commonly%20see%20%3CFONT%20face%3D%22arial%2Chelvetica%2Csans-serif%22%20size%3D%223%22%3E%22%3C%2FFONT%3E%3CFONT%20face%3D%22arial%2Chelvetica%2Csans-serif%22%20size%3D%223%22%3EExternal%20accounts%20with%20write%20permissions%20should%20be%20removed%20from%20your%20subscription%22%20come%20up%20as%20well.%3C%2FFONT%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20please%20advise%20on%20the%20implications%20of%20ignoring%2Fsupressing%20these%20recommendations%3F%20Furthermore%20if%20anyone%20has%20any%20insight%20into%20what%20the%20best%20practice%20is%20for%20consultants%20to%20gain%20access%20to%20client%20environments%20(e.g.%20use%20our%20own%20accounts%2C%20get%20the%20client%20to%20create%20us%20an%20account%2C%20etc.)%20that%20would%20be%20greatly%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20always%20taken%20the%20approach%20of%20having%20our%20accounts%20added%20into%20their%20AAD%20as%20guests%20to%20avoid%20handling%20multiple%20identies%20across%20all%20our%20clients%20etc.%20Just%20seems%20like%20the%20route%20of%20having%20a%20new%20identity%20created%20for%20each%20client%20is%20less%20secure%20and%20cumbersome%20then%20utilizing%201%20identity.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1171804%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20accounts%20get%20flagged%20as%20a%20threat%20in%20Identity%20%26amp%3B%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171804%22%20slang%3D%22en-US%22%3EAs%20you%20cannot%20fully%20control%2Fsecure%20the%20identities%20of%20external%20users%2C%20it's%20recommended%20to%20create%20accounts%20in%20your%20tenant.%3C%2FLINGO-BODY%3E
Frequent Visitor

My question today is based around a threat I reviewed in a clients security center for Identity and Access (see screenshot below). FYI - I have asked this question in msdn forum, but havnt got any feedback https://social.msdn.microsoft.com/Forums/en-US/5a9dedc4-2ace-40b8-a624-da9bdcf4b215/guest-accounts-g...

guest access threat.PNG

 

 

This error is coming up for my account. As we are a service provider to our clients for Azure cloud solutions (build environments etc.), we get our clients to add our Microsoft accounts as a guest account to the subscription.

 

Is this not the best way to gain access to a clients environment? All our accounts are MFA etc. Also, is states this prevents "unmonitored access" what does that even mean? Everything I do is logged in the activity monitor, as far as I see, my guest account is locked down to the same level as any other account in the clients AD?

We also commonly see "External accounts with write permissions should be removed from your subscription" come up as well.

 

Can someone please advise on the implications of ignoring/supressing these recommendations? Furthermore if anyone has any insight into what the best practice is for consultants to gain access to client environments (e.g. use our own accounts, get the client to create us an account, etc.) that would be greatly appreciated.

 

We have always taken the approach of having our accounts added into their AAD as guests to avoid handling multiple identies across all our clients etc. Just seems like the route of having a new identity created for each client is less secure and cumbersome then utilizing 1 identity.

1 Reply
As you cannot fully control/secure the identities of external users, it's recommended to create accounts in your tenant.