EIDSCA.AP04 - Default Authorization Settings - Guest invite restrictions.

Overview

Manages controls who can invite guests to your directory to collaborate on resources secured by your Entra ID (Azure AD), such as SharePoint sites or Azure resources.

CISA SCuBA 2.18: Only users with the Guest Inviter role SHOULD be able to invite guest users

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.allowInvitesFrom -in @('adminsAndGuestInviters','none')

Related links

• Open in Graph Explorer
• authorizationPolicy resource type - Microsoft Graph v1.0 | Microsoft Learn
• View in Microsoft Entra admin center

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0003 - Persistence - Persistence

Test Metadata

Field	Value
Test ID	EIDSCA.AP04
Severity	Medium
Suite	Entra ID SCA
Category	General
PowerShell test	Test-MtEidscaAP04
Tags	EIDSCA, EIDSCA.AP04

Source

• Pester test: tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1
• PowerShell source: powershell/internal/eidsca/Test-MtEidscaAP04.ps1