Microsoft Entra Design Lets Guest Users Gain Azure Control, Researchers Say – Source:hackread.com

Cybersecurity researchers at BeyondTrust are warning about a little-known but dangerous issue within Microsoft’s Entra identity platform. The issue isn’t some hidden bug or overlooked vulnerability; it’s a feature, built into the system by design, that attackers can exploit.

The issue is that guest users invited into an organization’s Azure tenant can create and transfer subscriptions inside that tenant without having any direct admin privileges there. Once they do, they gain “Owner” rights over that subscription, opening up a surprising set of attack opportunities that many Azure administrators might never have considered.

What’s Happening Behind the Scenes

Organizations frequently invite external partners or collaborators into their Azure environments as “guest users.” Typically, these guests are assigned limited access to prevent damage if their accounts are compromised. But BeyondTrust’s findings shared with Hackread.com, reveal that under certain conditions, these guests can spin up entire Azure subscriptions inside the host tenant, even without explicit permissions in that environment.

How? It all comes down to Microsoft’s billing permissions. If the guest holds specific billing roles in their home tenant (for example, they created a free trial account), they can use that authority to create subscriptions and then move them into any other tenant they are invited to. By doing so, they effectively become “Owners” of those subscriptions, gaining broad control over resources inside the targeted tenant.

Microsoft has confirmed that this is intended behaviour, pointing out that these subscriptions stay on the guest’s bill and that there are existing (but non-default) controls to prevent such transfers. Still, the security implications are substantial.

The Privilege You Didn’t See Coming

Once a guest becomes a subscription Owner inside your Azure tenant, they unlock several advanced capabilities including Identifying who’s really in charge, disabling security monitoring, creating persistent backdoors and abusing device trust

These attack paths exist because billing roles and resource permissions operate on separate tracks, creating an overlap that isn’t covered by typical role-based access control (RBAC) models.

Real-World Attack Steps

BeyondTrust researchers demonstrated how an attacker could exploit this issue in practice. An attacker could start by setting up their own Azure tenant using a free trial, which automatically gives them billing authority.

Once they are invited as a guest into a target tenant, they can log into the Azure portal and create a new subscription using advanced settings, selecting the target tenant as the destination. Without ever needing admin approval in that tenant, the attacker gains full Owner access over the new subscription, opening the door to privilege abuse techniques.

“The feature Microsoft has created here makes sense: some organizations have many tenants, and there are use cases where users with one home directory need to create subscriptions in others they are simply a guest in. The problem lies in the default behavior: if this capability were opt-in, meaning guests were blocked from creating subscriptions by default, the risk would be significantly reduced, and this wouldn’t pose a security concern.”

Simon Maxwell-Stewart, Sr Data Engineer – BeyondTrust

Microsoft’s Position

Microsoft has stated that this is intended behaviour, meant to support complex multi-tenant setups where guests sometimes need to create resources. They provide subscription policies that can block these transfers, but these controls are off by default.

For cybersecurity teams, this means the risk remains active until they take clear action. BeyondTrust recommends several key steps to reduce exposure including enabling subscription policies that block guest-led transfers, regularly auditing guest accounts and removing any that are unused or unnecessary.

To prevent attackers from using virtual machines or devices for further attacks, closely monitor subscriptions for unusual or unexpected guest-created resources, and carefully review dynamic group rules and device trust policies.