Policy: Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"

Configures auditing against a CIS Benchmark item.

Level: 2

Restrict invitations to users with specific administrative roles only.

Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data.

By default the setting Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.

Targets

This policy targets the following resource types:

Azure > Active Directory > Directory

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v2.0 > 01 - Identity and Access Management

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" > Attestation

Controls

Setting this policy configures this control:

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v2.0 > 01 - Identity and Access Management`
Valid Values [YAML]	`Per Azure > CIS v2.0 > 01 - Identity and Access Management` `Skip` `Check: Benchmark using attestation`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v071602

Policy Type URI

tmod:@turbot/azure-cisv2-0#/policy/types/r0116

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv2-0#/policy/types/r0116") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv2-0#/policy/types/r0116'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv2-0#/policy/types/r0116'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv2-0#/policy/types/r0116"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv2-0#/policy/types/r0116"

Policy: Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"

Targets

This policy targets the following resource types:

Azure > Active Directory > Directory

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v2.0 > 01 - Identity and Access Management

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" > Attestation

Controls

Setting this policy configures this control:

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v2.0 > 01 - Identity and Access Management`
Valid Values [YAML]	`Per Azure > CIS v2.0 > 01 - Identity and Access Management` `Skip` `Check: Benchmark using attestation`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v071602

Policy Type URI

tmod:@turbot/azure-cisv2-0#/policy/types/r0116

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv2-0#/policy/types/r0116") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv2-0#/policy/types/r0116'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv2-0#/policy/types/r0116'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv2-0#/policy/types/r0116"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv2-0#/policy/types/r0116"

Policy: Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"

Targets

Primary Policy

Related Policies

Controls

Policy Specification

Category

In Your Workspace

Developers

Policy: Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"

Targets

Primary Policy

Related Policies

Controls

Policy Specification

Category

In Your Workspace

Developers