Imagine your organization’s Microsoft 365 tenant as your home. You wouldn’t welcome a stranger with unknown intentions and a shady introduction into your home?
Similarly, proactively identifying and mitigating risks associated with guest users in their home tenant is vital for safeguarding your organization’s data and resources within your tenant.
It’s a common practice among organizations to implement Entra ID Protect (Azure Active Directory Identity Protection), to secure access to their tenant. This, combined with the dynamic capabilities of Conditional Access, you can both help users to verify their identity and remediate risks, but it’s also quite common to block access when a user have a high user risk detected.
Why is it important to be able to detect blocked guest users?
If a guest user in their home tenant is flagged with a risk by Entra ID Protection, your Conditional Access policy will not provide immediate notifications about the blocked access. That’s why it’s crucial to have a detection in place to proactively identify these situations. By doing so, you can promptly inform the guest user about the issue, ensuring that any potential disruptions to collaboration between the guest user and your organization are addressed promptly.
How?
Detecting events involving guest user risks in Entra ID Protection within their home tenant requires a strategic approach. By implementing specific monitoring and alerting mechanisms, we can effectively identify potential issues through a KQL query and an Alert Rule.
// Detect when guest users get blocked due to risk on home tenant.
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == "530032"
| where ConditionalAccessStatus == "failure"
| where UserType == "Guest"
| project TimeGenerated, UserPrincipalName, UserType, ResultType, HomeTenantId, AppDisplayName
| sort by TimeGenerated descAlert Rule:
Microsoft 365 Security blog by Pontus Själander 