Dec 29 2021
- last edited on
Jan 14 2022
Use Case: We allow for particular guest users (having the guest inviter role) to invite other B2B guest users using the groups Access Panel. However we would like to limit what they can see as much as possible as we deal with multiple B2B tenants. For instance currently the tenant guest setting is set to "Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)". However with this setting these guest users cannot add new guests to the groups they own on the Access Panel. As soon as they do it breaks and throws an error. To work around this these users were also given the "Directory Readers" role. However now they can enumerate ALL users in AAD using the Join Group function:
This is too permissive as it allows these users to enumerate all users in the tenant including the other B2B guest users which they should not be able to see.
Problem: The group Access Panel which can be found here: Access Panel Groups (windowsazure.com)
Can be potentially exploited to perform an enumeration attack. By design this allows you to enumerate all groups and their members and email addresses in Azure AD. by using the "+Join Group" feature or by adding a new member to a group you own and typing an initial letter which shows an autocomplete menu with all members having that letter.
I hope these changes can be considered as they have been highlighted a few times already by security experts see:
Feb 14 2022 11:50 PM