Azure audit iam guest users in use remediation

Using Console

Using CLI

The “Guest Users in Use” misconfiguration in Azure refers to the presence of external users who have access to your Azure Active Directory tenant. To remediate this misconfiguration, you can follow the below steps using Azure CLI:

Run the following command to list all the external/guest users in your Azure Active Directory tenant:
```
az ad user list --query "[?userType=='Guest']"
```
Identify the guest users that should not have access to your Azure resources.
Run the following command to remove a guest user:
```
az ad user delete --id <guest-user-object-id>
```
Replace <guest-user-object-id> with the object ID of the guest user you want to remove.
Repeat step 3 for all the guest users that should not have access to your Azure resources.
After removing the guest users, you can also disable external sharing for your Azure Active Directory tenant by running the following command:
```
az ad domaingroup update --id <object-id-of-the-external-users-group> --set "securityEnabled=true"
```
Replace <object-id-of-the-external-users-group> with the object ID of the group that contains all the external users in your Azure Active Directory tenant.

By following these steps, you can remediate the “Guest Users in Use” misconfiguration in Azure using Azure CLI.

Using Python

The misconfiguration “Guest Users In Use” occurs when guest users are granted access to Azure resources. To remediate this issue, we can use the Azure Python SDK to write a script that will identify the guest users and remove their access.Here are the steps to remediate “Guest Users In Use” for Azure using Python:

Install the Azure Python SDK by running the command pip install azure-mgmt-resource.
Authenticate with Azure using your Azure account credentials. You can do this by using the ServicePrincipalCredentials class from the Azure Python SDK. Here’s an example:

from azure.common.credentials import ServicePrincipalCredentials

TENANT_ID = '<your tenant id>'
CLIENT_ID = '<your client id>'
CLIENT_SECRET = '<your client secret>'

credentials = ServicePrincipalCredentials(
    client_id=CLIENT_ID,
    secret=CLIENT_SECRET,
    tenant=TENANT_ID
)

Use the Azure Python SDK to list all the guest users in your Azure AD tenant. You can do this by using the GraphRbacManagementClient class from the Azure Python SDK. Here’s an example:

from azure.graphrbac import GraphRbacManagementClient
from azure.graphrbac.models import UserFilter

graph_client = GraphRbacManagementClient(credentials, TENANT_ID)

guest_users = graph_client.users.list(filter="userType eq 'Guest'")
for guest_user in guest_users:
    print(guest_user.userPrincipalName)

Use the Azure Python SDK to remove the guest users’ access to Azure resources. You can do this by using the RoleAssignmentsOperations class from the Azure Python SDK. Here’s an example:

from azure.mgmt.authorization import AuthorizationManagementClient

authorization_client = AuthorizationManagementClient(credentials, subscription_id)

for guest_user in guest_users:
    role_assignments = authorization_client.role_assignments.list_for_principal(
        guest_user.object_id,
        filter="atScope()",
        expand="roleDefinition"
    )
    for role_assignment in role_assignments:
        authorization_client.role_assignments.delete(
            role_assignment.scope,
            role_assignment.name
        )

This script will remove the guest users’ access to all Azure resources in your subscription. You can schedule this script to run periodically to ensure that guest users do not have access to your Azure resources.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Azure audit iam guest users in use remediation

Triage and Remediation

Remediation