Full Report
If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk. A gap in access control in Microsoft Entra’s subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them. All the guest user needs are the permissions to create subscriptions in
Analysis Summary
# Vulnerability: Guest User Subscription Creation Leading to Privilege Escalation in Microsoft Entra ID
## CVE Details
- CVE ID: Not explicitly provided in the text.
- CVSS Score: Not explicitly provided in the text.
- CWE: Likely related to CWE-276 (Incorrect Default Permissions) or CWE-284 (Improper Access Control).
## Affected Systems
- Products: Microsoft Entra ID (Azure AD)
- Versions: All environments utilizing the B2B guest user invitation model where billing permissions are not strictly audited or controlled.
- Configurations: Environments where guest users are invited, and the guest user (or an account they control/impersonate) possesses Billing Roles (e.g., Subscription Creator, Owner) in their *home* tenant, or can leverage free trial creation to gain these roles.
## Vulnerability Description
The vulnerability lies in the separation of authentication/authorization boundaries between Entra ID Roles, Azure RBAC Roles, and **Billing Roles**. A B2B guest user invited into a target Entra tenant can exploit Billing Roles held in their *home tenant* (or a tenant they control, such as one created via a free trial) to create a new Azure subscription and direct it into the target resource tenant. Crucially, the guest user is automatically assigned the Azure RBAC role of "Owner" on this newly created subscription within the target environment, effectively gaining privileged access outside of standard Entra/Azure RBAC permission reviews. This bypasses standard controls typically applied to guests.
## Exploitation
- Status: Theoretical/Proof of Concept is implied via the step-by-step guide; not explicitly stated as "Exploited in the wild."
- Complexity: Low to Medium. Requires the attacker to secure the necessary upstream billing role (either by compromise or by creating a trial account). The process within the target tenant is straightforward via the Azure Portal GUI.
- Attack Vector: Network (Requires initial successful B2B invitation).
## Impact
- Confidentiality: High (Owner role on a subscription allows access to data and resources).
- Integrity: High (Owner role allows modification or deletion of resources).
- Availability: High (Owner role allows denial of service via resource deletion/misconfiguration).
## Remediation
### Patches
- No specific patch or version update is mentioned as the issue appears to be a design oversight related to billing scope inheritance. Remediation relies on configuration changes.
### Workarounds
1. **Audit and Restrict Billing Roles:** Review and strictly limit which users (especially those external to the organization) hold privileged Billing Roles (e.g., Subscription Creator, Billing Account Owner) within the respective organization's home tenant(s).
2. **Review Guest Invitation Policies:** Examine who has the default right to invite guests, as an attacker may leverage a compromised, low-privilege user to invite an attacker-controlled account that has the required billing permissions.
3. **Subscription Governance Review:** Regularly review subscription ownership and management group assignments in the target tenant, specifically looking for recently created subscriptions whose owners’ primary identity resides in an external tenant.
4. **Enforce Stronger Controls on Federation:** Since guests access via federation, ensure that the tenant configuration does not allow guests to bypass MFA or other critical controls if they gain elevated roles.
## Detection
- **Indicators of Compromise (IoCs):** New Azure subscriptions appearing in the target tenant whose creator/owner identity is a B2B guest account from an external directory.
- **Detection Methods and Tools:** Security monitoring tools must analyze **Billing and Subscription creation events**, not just standard Entra sign-ins or Azure RBAC role assignments. Look for API calls or portal actions related to subscription creation directed towards the tenant boundary by accounts flagged as guests.
## References
- Vendor Advisories: Not specified.
- Relevant links:
- hXXps://thehackernews.com/2025/06/beware-hidden-risk-in-your-entra.html
- hXXps://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy