Skip to Content

Guest Users: The Overlooked Lateral Movement Path in Entra ID

22 January 2026 by
Jaspreet Singh

MacBook Pro on brown wooden table inside room

Guest Users: The Overlooked Lateral Movement Path in Entra ID

Executive Summary

Guest users are often considered low-risk, low-privilege identities. However, they represent one of the most under-monitored lateral movement paths in Microsoft Entra ID (Azure AD). (Eliminate identity lateral movement – Zero Trust, 2025)

Attackers do not require Global Admin access to move laterally. They need visibility, persistence, and misconfiguration, all of which guest users can provide.

This article explains how attackers exploit guest users, outlines the technical methods involved, and highlights common oversights by defenders.

Why Guest Users Are a High-Value Target

Guest users:

  • Are excluded from many Conditional Access policies
  • Rarely have Identity Protection coverage
  • Are often not MFA-enforced
  • Have persistent access via Teams, SharePoint, and Entra ID groups
  • Are trusted implicitly because they are “externalIn many environments, guest users encounter fewer security controls than internal employees. (Authentication and Conditional Access for B2B users - Microsoft Entra External ID, 2024)

The Identity Trust Boundary Problem

When a guest user authenticates:

  • Authentication happens in the home tenant
  • Authorization happens in your tenant

This creates a split trust model:

  • You do not control their password policy
  • You do not control their MFA methods
  • You do not control their device posture Yet, once authorized, they can move laterally within your tenant. (Authentication and Conditional Access for B2B users - Microsoft Entra External ID, 2026)

Lateral Movement Technique #1: Guest → Teams → SharePoint

Attack Flow

  1. Attacker compromises an external tenant account
  2. That account is already invited as a guest

  3. Guest has access to:

    • Teams channels
    • SharePoint document libraries

  4. Attacker harvests:

    • Credentials in documents
    • VPN configs
    • Internal URLs
    • Usernames and org structure

Why This Works

  • Access to SharePoint does not equate to an Entra ID role.
  • Data access is rarely logged or reviewed
  • Guest activity blends in as “collaboration.”

This is reconnaissance-based lateral movement, not privilege escalation, which is why it is often overlooked. (Eliminate identity lateral movement – Zero Trust, 2024)

Lateral Movement Technique #2: Guest Users in Entra ID Groups

The Hidden Risk

Many organizations:

  • Add guest users to security groups

  • Reuse those groups for:

    • App assignments
    • SharePoint permissions
    • SaaS access (Use a group to manage access to SaaS applications, 2025)

If a group is later:

  • Assigned to an application
  • Granted API permissions
  • Used in Conditional Access exclusions

The guest user gains new access without notification.

Guest access can expand over time without requiring re-invitation. (Restrict guest user access permissions in Microsoft Entra ID, 2024)

Lateral Movement Technique #3: Guest → Application Tokens

Technical Detail

If a guest user:

  • Is assigned to an enterprise application
  • Uses OAuth-based access
  • Receives refresh tokens

An attacker can:

  • Steal tokens
  • Reuse them without reauthentication
  • Bypass MFA entirely

This results in token-based lateral movement rather than login-based movement. (Token Protection by using Microsoft Entra ID, 2026)Key point:

Token theft does not trigger sign-in risk alerts. (Protecting Tokens in Microsoft Entra ID, 2023)

Lateral Movement Technique #4: Cross-Tenant Trust Abuse

With:

  • Cross-tenant access settings
  • Default inbound trust enabled
  • No MFA claim enforcement

An attacker can:

  • Authenticate in a weaker tenant
  • Access a stronger tenant as a guest
  • Bypass MFA or compliant device requirements

This is an example of trust transitivity, which is rarely audited. (Eliminate identity lateral movement – Zero Trust, 2024)

Why Detection Fails

Most SOCs focus on:

  • UserType = Member
  • Privileged roles
  • Risky sign-ins

But guest attacks involve:

  • Normal sign-ins
  • Low-risk IPs
  • Legitimate collaboration workloads (Security guidance - Monitor and detect cyberthreats - Microsoft Entra, 2024)

Common blind spots:

  • No KQL queries for UserType = Guest
  • No anomaly baselines for guests
  • No alerts for permission expansion (Eliminate identity lateral movement – Zero Trust, 2025)

How to Defend (Technical Controls)

1. Separate Conditional Access for Guests

Create guest-only policies:

  • Require MFA
  • Block legacy auth
  • Restrict session duration
  • Disable persistent browser sessions

Do not rely on the “All Users” group.

2. Enforce MFA Claims from Home Tenant

In Cross-Tenant Access:

  • Require MFA claim
  • Block tenants without strong auth
  • Remove default trust

This prevents movement from weaker tenants to stronger tenants.

3. Monitor Token Usage, Not Just Sign-Ins

Focus on:

  • Token lifetime
  • Refresh token abuse
  • Unusual resource access

Sign-ins tell you who logged in

Tokens tell you who stayed in

4. Audit Guest Group Membership Drift

Run periodic reviews for:

  • Guest users in security groups
  • Groups tied to applications
  • Groups used in CA exclusions

Guest access should decay, not grow.

Final Thought

Guest users should not be viewed solely as a collaboration feature.

They are external identities inside your trust boundary.

If you do not address guest users as a lateral movement risk, attackers will exploit this oversight.


Written by Jaspreet Singh — Microsoft identity & security practitioner. Author at ITBlogs.ca. Lab notes and testing at f11.ca.


References

(2025). Eliminate identity lateral movement – Zero Trust. Microsoft Learn. https://learn.microsoft.com/en-us/security/zero-trust/sfi/eliminate-identity-lateral-movement

(2024). Authentication and Conditional Access for B2B users - Microsoft Entra External ID. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/external-identities/authentication-conditional-access

(2026). Authentication and Conditional Access for B2B users - Microsoft Entra External ID. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/external-identities/authentication-conditional-access

(2024). Eliminate identity lateral movement – Zero Trust. Microsoft Learn. https://learn.microsoft.com/en-us/security/zero-trust/sfi/eliminate-identity-lateral-movement

(2025). Use a group to manage access to SaaS applications. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/users/groups-saasapps

(2024). Restrict guest user access permissions in Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions

(2026). Token Protection by using Microsoft Entra ID. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/token-protection-by-using-microsoft-entra-id-/4302207

(2023). Protecting Tokens in Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/devices/protecting-tokens-microsoft-entra-id

(2024). Eliminate identity lateral movement – Zero Trust. Microsoft Learn. https://learn.microsoft.com/en-us/security/zero-trust/sfi/eliminate-identity-lateral-movement

(2024). Security guidance - Monitor and detect cyberthreats - Microsoft Entra. Microsoft Learn. https://learn.microsoft.com/en-us/entra/fundamentals/zero-trust-monitor-detect

(2025). Eliminate identity lateral movement – Zero Trust. Microsoft Learn. https://learn.microsoft.com/en-us/security/zero-trust/sfi/eliminate-identity-lateral-movement


Break-Glass Accounts That Fail During Real Incidents