Cybersecurity experts warn of a built-in feature in Microsoft’s Entra platform that allows guest users to create and transfer subscriptions, potentially leading to full control over Azure resources. Organizations should be aware of this default behavior and implement controls to mitigate associated security risks. #MicrosoftEntra #AzureSubscriptions
Keypoints
- Guest users in Azure can create and transfer subscriptions without explicit admin permissions.
- This behavior is due to billing roles that allow subscription creation, independent of resource permissions.
- Once a guest becomes a subscription Owner, they can disable security features and create backdoors.
- Microsoft confirms this is intentional, but controls to prevent transfers are not enabled by default.
- Best practices include auditing guest accounts, enabling subscription transfer policies, and monitoring unusual activity.
Read More: https://hackread.com/microsoft-entra-design-guest-users-gain-azure-control/