Article Details

Beware the Hidden Risk in Your Entra Environment. If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk. A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them. All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access. Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource tenant. It can allow a threat actor to achieve unauthorized reconnaissance and persistence in the defender's Entra ID, and advance privilege escalation in certain scenarios. Typical threat models and best practices don't account for an unprivileged guest creating their own subscription within your tenant, so this risk may not only exist outside your organization's controls; it may be off your security team's radar as well. How to Compromise Your Entra ID Tenant with a Guest User Account Guest-made subscription footholds exploit the fact that Microsoft's billing permissions (Enterprise Agreement or Microsoft Customer Agreement) are scoped at the billing account, not the Entra directory. Most security teams think about Azure permissions as either Entra Directory Roles (such as Global Administrator) or Azure RBAC Roles (such as Owner). But there is another set of permissions that get overlooked: Billing Roles. While Entra Directory and Azure RBAC Roles focus on managing permissions around identities and access to resources, Billing roles operate at the billing account level, which exists outside the well-understood Azure tenant authentication and authorization boundaries. A user with the right billing role can spin up or transfer subscriptions from their home tenant to gain control inside a target tenant, and a security team that is strictly auditing Entra Directory roles won't gain visibility of these subscriptions in a standard Entra permission review. When a B2B guest user is invited to a resource tenant, they access the tenant via federation from their home tenant. This is a cost-saving measure, the trade-off being that your tenant cannot enforce auth controls like MFA. As such, defenders usually try to limit the privileges and access of guests as they are inherently less securable. However, if the guest has a valid billing role in their home tenant, they can use it to become a subscription owner inside Azure. This is also true for guest users who exist in pay-as-you-go Azure tenants that an attacker could spin up in just a few minutes. And, by default, any user, including guests, can invite external users into the directory. This means an attacker could leverage a compromised account to invite in a user with the correct billing permissions into your environment. How an Attacker can Gain Elevated Access Using an Unprivileged Entra Guest Account: Real-World Risk: What a Restless Guest Can Do with a New Subscription Once an attacker has a subscription with Owner permissions within another organization's tenant, they can use that access to perform actions that would normally be blocked by their limited role. These include: Why Guest Subscription Creation Is a Growing Concern for Entra Security While more work is required to understand the true implications of this updated threat model, what we already know is concerning: any guest account federated into your tenant may represent a path to privilege. The risk is not hypothetical. Researchers at BeyondTrust have observed attackers actively abusing guest-based subscription creation in the wild. The threat is present, active, and the real danger here lies in the fact that it's largely under the radar. These actions fall outside what most Azure administrators expect a guest user to be capable of. Most security teams don't account for guest users being able to create and control subscriptions. As a result, this attack vector often falls outside of typical Entra threat models, making this path to privilege under-recognized, unexpected, and dangerously accessible. This attack vector is extremely common in B2B scenarios, where home and resource tenants are often controlled by different organizations. We suspect many organizations leveraging Entra ID B2B Guest features are unaware of the possible paths to privilege that this feature inadvertently enables. Mitigations: How to Prevent Guest Subscription Accounts from Gaining a Foothold To mitigate this behaviour, Microsoft allows organizations to configure Subscription Policies to block guests from transferring subscriptions into their tenant. This setting restricts subscription creation to explicitly permitted users only, and Microsoft has published supporting documentation[2] for this control. In addition to enabling this policy, we recommend the following actions: To assist defenders, BeyondTrust Identity Security Insights provides built-in detections to flag subscriptions created by guest accounts, offering automated visibility into these unusual behaviors. BeyondTrust Identity Security Insights customers can gain a holistic view of all Identities across their entire identity fabric. This includes gaining a consolidated understanding of Entra Guest accounts and their True Privilege™. The Bigger Picture: Identity Misconfigurations Are the New Exploits Guest-made subscription compromise isn't an anomaly; it's a stark example of the many overlooked identity security weaknesses that can undermine the modern enterprise environment, if not adequately addressed. Misconfigurations and weak default settings are prime access points for threat actors who are looking for the hidden paths into your environment. It isn't just your admin accounts that need to be included in your security policies anymore. B2B trust models, inherited billing rights, and dynamic roles mean that every account is a potential launch point for privilege escalation. Re-examine your guest access policies, visibility tools, and subscription governance models now, before these Restless Guests take advantage. To gain a snapshot of potential identity-based risks in your environment, including those introduced through guest access, BeyondTrust offers a no-cost Identity Security Risk Assessment. Note: This article is expertly written and contributed by Simon Maxwell-Stewart, Senior Security Researcher at BeyondTrust. Simon Maxwell-Stewart is a University of Oxford physics graduate with over a decade of experience in the big data environment. Before joining BeyondTrust, he worked as a Lead Data Scientist in healthcare, and successfully brought multiple machine learning projects into production. Now working as a "resident graph nerd" on BeyondTrust's security research team, Simon applies his expertise in graph analysis to help drive identity security innovation.