Beware of hidden risks in the Entra environment

When inviting guest users to your Entra ID tenant, you can open yourself up to amazing risk.

The access control gap in Microsoft Entra subscription handling allows guest users to create and transfer subscriptions to invited tenants, allowing them to maintain full ownership of them.

All guest users’ needs are permission to create subscriptions in their home tenants and invitations to external tenants as guest users. Once inside, guest users can create subscriptions in their home tenants, transfer them to external tenants, and retain full ownership. This stealth privilege escalation tactic allows guest users to gain privileged footing in environments with limited access.

While many organizations treat guest accounts as low risk based on temporary limited access, this behavior that works as designed opens the door to known attack paths and lateral movements within resource tenants. Threat actors can achieve fraudulent reconnaissance and persistence in the defender’s ENTRA ID, allowing pre-privilege escalation in certain scenarios.

This risk doesn’t just exist outside the controls of the organization, as typical threat models and best practices don’t take into account special guests creating their own subscriptions within the tenant. The security team’s radar may also be off.

How to compromise your Entra ID tenant with a guest user account

The scaffolding of guest-made subscriptions takes advantage of the fact that Microsoft’s billing authority (enterprise agreements or Microsoft Customer agreements) is scoped in a billing account rather than an ENTRA directory. Most security teams consider Azure permissions either as the Entra directory role (such as a global administrator) or as an Azure RBAC role (such as an owner). However, there is another set of authority that is overlooked: the billing role.

The Entra Directory and Azure RBAC role focuses on managing permissions on identity and access to resources, but the invoice role operates at the billing account level that resides outside the well-understood Azure Tenant authentication and authorization boundaries. Users with the appropriate billing role can spin up or transfer subscriptions from their home tenants to gain control within the target tenant. Additionally, security teams that strictly audit the role of the ENTRA directory will not gain visibility for these subscriptions with standard ENTRA permission reviews.

When a B2B guest user is invited to a resource tenant, the tenant will be accessed through the federal from the home tenant. This is a measure of cost savings, and the trade-off is that tenants cannot enforce authentication controls like MFA. Therefore, defenders usually try to restrict privileges and access, as guests are inherently unable to secure. However, if a guest has a valid invoice in his home tenant, he can use it to become a subscription owner in Azure.

This applies to guest users in PaygoGo’s Navy Zure tenants, where attackers can spin up in just a few minutes. Additionally, by default, all users, including guests, can invite external users into the directory. This means that attackers can leverage the compromised accounts and invite users with the correct billing authority in their environment.

How an attacker can use a non-Privia ENTRA guest account to increase access:

The attacker gets control of a user with the invoice role that can create subscription/owner for tenant subscriptions, as follows: AzureFreeTrial (user signed up as the owner of a billing account will become the attractive billing agent owner by compromising existing users who are already infringing existing users who are infringing existing users. By default, users or guests can invite guests to tenants. The attacker logs in to the Azure portal and enters their home directory. This has full control. The attacker goes to Subscription > Add +. The attacker switches to the Advanced tab and sets the Defender directory as the target directory. The attacker creates a subscription. The attacker’s tenant does not see the subscription. Instead, the subscription appears in the defender tenant under the root management group. The attacker is automatically assigned the RBAC role for the “owner” of this subscription.

Real-world risk: What new subscriptions can help restless guests

If an attacker has a subscription with ownership privileges within a tenant of another organization, they can use that access to perform actions that are normally blocked by a limited role. These include:

List of Route Management Group Administrators – In many tenant configurations, guest users have zero permissions to list other users in the tenant. However, following guest subscription attacks, its visibility becomes possible. Guest owners can view the Access Control role assignments on the subscriptions they create. Administrators assigned at the tenant’s route management group level are inherited and displayed in the subscription role assignment view, publishing a list of highly value privileged accounts that are ideal targets for subsequent attacks and social engineering. Weak the default Azure policy associated with a subscription – By default, all subscriptions (and their resources) are compliant with Azure policies designed to enforce security standards and trigger alerts when a violation occurs. However, once a guest becomes a subscription owner, it applies to the subscription and has full write permissions to all policies that allow them to be modified or disabled, effectively muting security alerts that otherwise notify the defender of suspicious or non-compliant activity. This further reduces visibility from security monitoring tools, allowing attackers to perform malicious activities and target external systems under radar. Creating a User-Managed Identity in the ENTRA ID Directory – Guest users with subscription owner permissions can create a User-Managed ID. It lives in the ENTRA directory but is linked to the crowd workload within the subscription. This identity is: Regardless of the original guest account, you are granted roles or permissions beyond the subscription and beyond the blend, launching detection more stringently, tricking legitimate administrators and granting you the higher privileges of this managed identity. Microsoft Entra Registers Joined Devices and Abuses Conditional Access Policy – Azure allows trusted devices to be registered and combined with Entra IDs. An attacker can register a device under a hijacked subscription and display it as a compliant corporate device. Many organizations use dynamic device groups to use automatic assignment roles or access based on device status (for example, “All users on compliant laptops can access X”). By spoofing or registering devices, attackers can exploit conditional access policies and gain unauthorized access to trusted assets. This represents a device-based variant of a known dynamic group exploit[1] It was previously seen in user object targeting. Trust’s Identity Security Insights products have helped to reveal customers to many similarly misunderstood dynamic groups that unintentionally expose Hidden Paths to Privilege™.

Why creating a guest subscription is growing concerns about ENTRA security

It takes more work to understand the true meaning of this updated threat model, but what we already know is a concern. The risk is not hypothetical. Researchers at Beyond Trust have observed attackers actively abuse the creation of guest-based subscriptions in the wild. The threat is present and active, and the real danger here lies in the fact that it is primarily under the radar.

These actions are outside of what most Azure admins expect guest users to do. Most security teams do not consider that guest users can create and control subscriptions. As a result, this attack vector is often outside the typical Entra threat model, making this path an unrecognized, unexpected, dangerous, accessible privilege.

This attack vector is very common in B2B scenarios. In B2B scenarios, home and resource tenants are often controlled by different organizations. Many organizations that take advantage of the guest functionality of Entra ID B2B seem to be unaware of the possible path to privileges that this feature inadvertently enables.

Mitigation: How to prevent guest subscription accounts from gaining footing

To mitigate this behavior, Microsoft allows organizations to configure subscription policies to block guests from transferring subscriptions to tenants. This setting restricts subscription creation, restricting only those who are explicitly permitted, and Microsoft publishes support documentation[2] For this control.

In addition to enabling this policy, we recommend the following actions:

Audit all guest accounts in your environment and remove any unnecessary guest controls whenever possible. For example, disable guest invitations, periodically monitor all tenant subscriptions to detect unexpected guest creation subscriptions, and resources monitor all security center alerts in the Azure portal. If the visibility is inconsistent audit device access, some people may see it, especially if they utilize dynamic group rules.

To help defenders, Trust Identity Security Insights provides built-in detection to flag subscriptions created by guest accounts, providing automated visibility into these anomalous behaviors.

Trust Identity Identity Security Insights customers get a holistic view of all their identities across their identity fabric. This includes gaining an integrated understanding of the ENTRA guest account and its true privileges™.

Big picture: Identity misconceptions are new exploits

Guest-made subscription compromises are not unusual. This is a harsh example of many often overlooked identity security weaknesses that can, even if not addressed properly, pose a breach of today’s enterprise environment. False shortages and weak default settings are the main access points for threat actors looking for hidden paths to their environment.

Administrator accounts are not the only ones that need to be included in your security policy. The B2B trust model, inherited claims, and dynamic roles mean that all accounts are potential launch points for privilege escalation. Revisit guest access policies, visibility tools, and subscription governance models now before these restless guests can use it.

To capture snapshots of potential identity-based risks in your environment, including those introduced through Guest Access, Trust provides cost-free identity security risk assessments.

Note: This article is skillfully written and contributed by Simon Maxwell-Stewart, senior security researcher at Beyond Trust. Simon Maxwell-Stewart is a physics graduate from Oxford University and has over 10 years of experience in big data environments. Before joining Trust Beyond, he worked as a lead data scientist in healthcare, successfully bringing multiple machine learning projects into production. Currently working as a “resident graph nerd” with Trust’s Beyond security research team, Simon applies his graph analysis expertise to drive innovation in identity security.