Guest Access to Entra Threat Alert
Threat Notice Originally Appeared on TheHackerNews.com
The Silent Backdoor: How Microsoft Guest Accounts Can Give Hackers Full Control
Microsoft’s guest access feature was built to make collaboration seamless across organizations. But under the surface, a major security gap is allowing attackers to use these guest accounts as stealth backdoors—giving them unexpected levels of control inside target environments.
This isn’t just a theoretical risk. Security researchers have confirmed that with default settings, a guest user can create entire cloud subscriptions inside your Microsoft environment—and then take full ownership of them. Most IT security teams don’t even realize this is possible.
The Hidden Risk in Microsoft Entra Guest Access
Here’s how the attack works:
An attacker with access to a billing account in their own Entra environment gets invited to your Microsoft tenant as a guest.
Once in, they create a new subscription from their home environment and transfer it into yours.
Because of how Microsoft billing permissions work, they retain full owner control of that subscription—even inside your tenant.
This newly created subscription shows up under your management group—but it’s not governed by your standard policies and may not trigger your security tools.
From that foothold, attackers can:
Disable or weaken default security policies.
Create managed identities that appear legitimate.
Expose high-level admin accounts through misused role assignments.
Launch phishing campaigns using trusted devices.
Why This Is So Dangerous
Most IT teams audit Entra directory roles or Azure RBAC permissions. But this exploit sidesteps those reviews entirely using billing roles—an overlooked layer of access that exists outside typical security boundaries.
To make matters worse:
Guest invitation settings are often wide open by default—meaning anyone, even a guest, can invite another guest.
Federated logins reduce control—your tenant may not be able to enforce MFA or device compliance for the guest’s login.
This tactic is being used in the wild—it’s already been seen by researchers like BeyondTrust, who have flagged it as a real-world privilege escalation method.
What Business Owners and IT Teams Should Do Now
If you rely on Microsoft 365, Azure, or Entra for collaboration and identity management, this risk needs your immediate attention. Here’s how to get ahead of it:
✅ Review and lock down guest invitation settings – Limit who can invite guests and monitor existing guest users.
✅ Enable Microsoft’s subscription transfer controls – This policy blocks unauthorized users from transferring subscriptions to your tenant.
✅ Audit all subscriptions – Especially those not created by your internal team. Look for signs of ownership anomalies.
✅ Run a risk assessment – Our team can help you uncover guest-created resources, misconfigured roles, and invisible paths to privilege.
The Bottom Line
Identity misconfigurations are the new exploits. This guest subscription flaw is just one example of how small gaps in configuration can create massive opportunities for attackers. If your security tools are only focused on traditional roles and permissions, you may be blind to what’s really happening.
Let’s close the door before attackers walk in. Schedule a 26-minute Cyber Risk & Resilience Call with our team, and we’ll show you exactly where the risks lie—and how to eliminate them.
References
https://thehackernews.com/2025/06/beware-hidden-risk-in-your-entra.html?m=1
https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/
Questions or concerns? Schedule a quick 26-minute call with Greg Mauer to discuss your concerns or answer your questions.
