Microsoft Azure Security Advisory – Elevation of Privilege: Guest User Permissions after Deletion

Hi everyone,

I got an email from Microsoft last week that I just hadn’t had time to write up on yet, so here we go.

On the 3rd April Microsoft mitigated an issue that could cause guest users of an Azure AD tenant to be granted a subscription “Classic Co-Administrator” Role beyond its expiry.

The workflow for this issue was as follows:

  • Guest gets invited to another Azure AD Tenant.
  • An Azure AD Subscription Administrator grants the guest the “Classic Co-Administrator” Role.
  • Guest Account is removed from Azure AD Tenant
  • Guest Account continues to have access to the subscription despite this deletion.

Microsoft have mitigated the issue by disallowing requests that are  made by Classic Co-Administrators that aren’t in the tenant. Error messages will include that they don’t have authorization to perform the actions, and/or the scope is invalid.

Microsoft have provided the following guidance:

  • If you legitimately require this functionality, re-invite these users to your tenant. Grant them the least-privileged access possible for their requirements using Azure RBAC. As Classic Co-Administrator is soon to be deprecated.
  • Review your activity logs, cost management, and resource changes to ensure configurations are as expected, and no unexpected changes have been performed to your tenant.

Microsoft should have emailed you if any of your subscriptions could’ve been impacted by this issue, but it’s certainly good practice to carry out random health checks around the times of these events!

Microsoft provide numerous resources regarding their security best practices and how to utilise them, and they’re all free! So, if this has concerned you into thinking more about how best to protect your tenant(s), check out some of their brilliant content below:

Azure Security Fundamentals – Security Best Practices and Patterns

Azure Cloud Adoption Framework – Security Top 10

And finally, you can only know how best to protect a solution when you’re confident in how it works, so don’t be afraid to jump into any of Microsoft’s free learning pathways at Microsoft Learn.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: