Mitigating Undetected Threats Within Your Entra Environment

Inviting guest users into your Entra ID tenant may expose you to significant risks.

A vulnerability in Microsoft Entra’s subscription management allows guest users to create and transfer subscriptions into the tenant they access, retaining full ownership rights. The sole prerequisites for a guest user include the ability to create subscriptions in their home tenant and an invitation to the external tenant. Once granted access, they can generate subscriptions in their home environment, transfer these to the external tenant, and achieve a level of control that should otherwise be restricted. This method represents a stealth privilege escalation, enabling a guest user to gain privileged access within environments where their entry should be limited.

Many organizations consider guest accounts as low-risk due to their temporary and restricted access. However, this perception can lead to security gaps, as it exposes known attack vectors and allows lateral movement within the resource tenant. Such scenarios enable threat actors to conduct unauthorized reconnaissance, establish persistence in the Entra ID of the organization, and potentially escalate privileges in certain situations.

Standard threat models and best practices do not often consider the implications of an unprivileged guest generating their own subscription within a tenant. Consequently, this risk may exist beyond the purview of organizational controls and may not be recognized by security teams.

Mechanisms of Compromising Your Entra ID Tenant via Guest User Accounts

The ability for guest users to establish subscription footholds capitalizes on Microsoft’s billing permissions, which are assigned at the billing account level rather than the Entra directory. Security teams typically focus on Entra Directory Roles (like Global Administrator) or Azure RBAC Roles (like Owner). However, billing roles represent an often-overlooked set of permissions.

While Entra Directory and Azure RBAC Roles manage access around identities and resources, billing roles function at the billing account level, outside the commonly understood boundaries of Azure tenant authentication. A user with appropriate billing role permissions can create or transfer subscriptions from their home tenant, thereby gaining control over resources in a target tenant. Auditing strictly for Entra Directory roles does not provide visibility into these subscription activities.

When a B2B guest user is invited into a resource tenant, they access this tenant via federation from their home tenant. This setup is a cost-efficient solution, but it has the drawback of limiting the enforcement of stringent authentication controls like Multi-Factor Authentication (MFA). As organizations seek to minimize the privileges and access afforded to guests due to their inherently lower security configurations, a guest with valid billing permissions from their home tenant can exploit this to become a subscription owner within Azure.

This vulnerability extends to guest users created within pay-as-you-go Azure environments, easily initiated within minutes. Furthermore, by default, any user—including guests—can invite external accounts into the directory, leading to the potential for an attacker to leverage a compromised account for inviting billing-authorized users into your environment.

Steps an Attacker Might Take to Obtain Elevated Access Utilizing an Unprivileged Entra Guest Account:

1. The attacker gains access to a user with a billing role capable of creating subscriptions or who is an owner of a subscription by:
   1. Creating their own Entra tenant through an Azure free trial (where the signup user will obtain Billing Account ownership).
   2. Or by compromising an existing user with a privileged billing role or subscription ownership within a tenant.
2. The attacker receives an invitation to become a guest user in their targeted Entra tenant. By default, any user or guest can invite another guest into the tenant.
3. The attacker logs into the Azure Portal and accesses their own home directory, which they control fully.
4. The attacker selects “Subscriptions” and initiates the process to “Add +”.
5. The attacker accesses the “Advanced” tab, setting the defender’s directory as the target.
6. The attacker creates the subscription. This subscription will not appear in the attacker’s tenant but will instead exist in the defender’s tenant, categorized under the root management group.
7. The attacker will receive RBAC Role privileges of “Owner” for this subscription automatically.

Real-World Risks: Capabilities of a Guest with a New Subscription

Upon acquiring a subscription with Owner permissions within another organization, an attacker can conduct activities typically restricted due to their limited role. These actions include:

• Identifying Root Management Group Administrators – Often, guest users lack permissions to see other users within a tenant; however, following a guest subscription attack, they gain such visibility. The guest Owner can access “Access Control” role assignments of the created subscription, revealing administrators assigned at the root management group level and presenting prime targets for follow-on attacks or social engineering.
• Altering Azure Policies Attached to the Subscription – Default policies governing subscriptions and resources are meant to enforce security standards and trigger alerts on violations. Once a guest becomes a subscription Owner, they possess full write permissions to all applicable policies, enabling them to modify or disable these alerts—thus minimizing security oversight and allowing malicious activities to proceed undetected.
• Creating User-Managed Identities within the Entra ID Directory – A guest user equipped with subscription Owner privileges can generate a User-Managed Identity within their subscription, benefiting from a unique Azure identity tied to cloud workloads. Such identities can persist separately from the original guest account, be assigned roles or permissions beyond the subscription, blend with legitimate identities to reduce detection, and potentially execute targeted API permission phishing attacks against authentic administrators.
• Registering Microsoft Entra-joined Devices and Exploiting Conditional Access Policies – Azure permits the registration and joining of compliant devices to Entra ID. By registering devices under their compromised subscription, an attacker can present these as compliant corporate devices. Organizations often utilize dynamic device groups to auto-assign roles based on device status, allowing for potential abuse of Conditional Access Policies to gain unwarranted access to sensitive assets.

The Rising Concern of Guest Subscription Creation in Entra Security

The ongoing exploration of this threat model illustrates the inherent risks: any guest account federated into your tenant might represent a vector for privilege escalation. This risk is not merely theoretical; evidence indicates attackers are actively exploiting guest-driven subscription creation worldwide. The menace is persistent and largely overlooked by security teams.

These behaviors surpass conventional expectations for guest user activities. Most Azure administrators do not anticipate guest users having the capability to create and manipulate subscriptions, steering this attack vector outside typical Entra threat considerations and leaving it underappreciated and dangerously accessible.

This exploit is particularly prevalent in B2B contexts, where organizational boundaries between home and resource tenants are common. It is likely that many organizations utilizing Entra ID’s B2B capabilities remain unaware of the privilege escalation paths inadvertently established through these features.

Mitigation Strategies: Preventing Guest Subscription Accounts from Establishing a Foothold

Microsoft provides capabilities for configuring Subscription Policies to prevent guests from transferring subscriptions into their tenant. This setting restricts subscription creation solely to pre-approved users. Detailed documentation exists for implementing this measure.

In conjunction with policy implementation, organizations are advised to pursue the following actions:

1. Conduct a comprehensive audit of guest accounts within your environment and eliminate those that are no longer necessary.
2. Tighten guest access controls, including disabling guest-to-guest invitations.
3. Regularly monitor all subscriptions within your tenant to identify any unexpected guest-created subscriptions and resources.
4. Continuously track all Security Center alerts in the Azure Portal; some alerts may still appear even with inconsistent visibility.
5. Audit device access, particularly those leveraging dynamic group rules.

BeyondTrust Identity Security Insights equips defenders with built-in detection mechanisms to flag subscriptions initiated by guest accounts, delivering automated visibility into these non-standard behaviors.

Broader Context: Identity Misconfigurations as a New Exploit Vector

Guest-generated subscription compromises are not isolated incidents; they exemplify numerous identity security vulnerabilities that can jeopardize the integrity of modern enterprise environments if left unaddressed. Misconfigurations and lax default settings can serve as gateways for threat actors searching for discreet means of infiltrating corporate networks.

Security policies must extend beyond administrative accounts. In an environment characterized by B2B trust models and inherited billing rights, every account represents a potential escalation point for privilege. Organizations must reassess their policies concerning guest access, visibility mechanisms, and subscription governance to avoid exploitation by compromised guest accounts.

To evaluate potential identity-based risks, including those arising from guest access, BeyondTrust offers a no-cost Identity Security Risk Assessment.