Full Report
Researchers reveal how guest accounts with billing roles can create Azure subscriptions inside external tenants, gaining unexpected Owner access and opening hidden privilege risks.
Analysis Summary
# Vulnerability: Guest User Privilege Escalation in Microsoft Entra Design
## CVE Details
- CVE ID: Not explicitly stated in the provided text.
- CVSS Score: Not explicitly stated in the provided text.
- CWE: Not explicitly stated in the provided text.
## Affected Systems
- Products: Microsoft Entra (Azure Identity Management infrastructure)
- Versions: Not specified; relates to design configuration affecting guest user roles.
- Configurations: Guest users assigned roles that include billing permissions within an external tenant.
## Vulnerability Description
The design structure within Microsoft Entra/Azure allows guest user accounts, when provisioned with specific billing-related roles in a tenant, to potentially create brand new Azure subscriptions within that external tenant. This action inadvertently grants the guest user elevated privileges, specifically escalating their rights to 'Owner' over the newly created subscription, which they should not possess based on their original invitation scope.
## Exploitation
- Status: Not explicitly stated (Implied theoretical risk raised by researchers).
- Complexity: Likely Low to Medium, as it depends on specific permission assignment (billing roles).
- Attack Vector: Indirect (Leveraging legitimate identity workflows).
## Impact
- Confidentiality: Potential exposure if subscription creation leads to access to sensitive data within new resources.
- Integrity: High, as the user gains 'Owner' rights, allowing full modification or deletion of resources within the new subscription.
- Availability: High, due to the ability to disrupt or disable newly created Azure services.
## Remediation
### Patches
- No specific patch information was provided in the source text. Remediation is likely a configuration change or an update to Entra design policies.
### Workarounds
- Restrict guest user roles, especially those granting billing/subscription creation permissions, to only the absolute minimum necessary permissions, ensuring these permissions do not inherently allow subscription creation in external tenants.
## Detection
- Indicators of Compromise: Unfamiliar Azure subscriptions being created under a tenant, particularly those created or owned by accounts designated as external guests.
- Detection methods and tools: Monitoring Azure Activity Logs for subscription creation events initiated by Guest principal types.
## References
- Vendor advisories: Not present in the text.
- Relevant links - defanged: hxxps://hackread.com/microsoft-entra-design-guest-users-gain-azure-control/