Entra ID Guest Account Promoted to Member

 1[metadata]
 2creation_date = "2026/05/20"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2026/05/20"
 6
 7[rule]
 8author = ["Elastic", "descambiado"]
 9description = """
10Identifies Entra ID user accounts converted from Guest to Member type via an Update user operation.
11A Guest-to-Member conversion grants the account full directory read access, removes external-identity
12Conditional Access restrictions, and makes the account indistinguishable from an internal employee.
13An attacker who compromises a guest account and promotes it to Member type gains persistent tenant
14access without triggering role assignment alerts.
15"""
16false_positives = [
17    """
18    B2B collaboration migrations where external users are intentionally promoted to full membership.
19    Organizational restructuring that converts former contractors to permanent employees in place.
20    """,
21]
22from = "now-9m"
23index = ["logs-azure.auditlogs-*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Entra ID Guest Account Promoted to Member"
27note = """## Triage and analysis
28
29### Investigating Entra ID Guest Account Promoted to Member
30
31A Guest-to-Member UserType conversion is a rarely needed, high-impact operation that removes all
32guest account restrictions. In most tenants it occurs fewer than once per month.
33
34#### Possible investigation steps
35
36- Identify the administrator who performed the conversion (`azure.auditlogs.properties.initiated_by`)
37  and verify whether the action was authorized.
38- Check when the guest account was originally invited: look for "Invite external user" in AuditLogs
39  with the same target object ID.
40- Review post-conversion sign-in activity in `azure.signinlogs.*` for the target account -- look for
41  directory enumeration patterns (access to Graph API `/users`, `/groups`, `/applications`).
42- Check whether the converting actor's role was recently granted and whether other high-privilege
43  operations were performed around the same time.
44
45### False positive analysis
46
47- Planned B2B-to-member migrations coordinated by HR or IT should be documented in change records.
48  Confirm via ticket correlation before closing.
49
50### Response and remediation
51
52- Revert the UserType to Guest if unauthorized: Entra ID > Users > Edit properties.
53- Revoke all sessions for the affected account.
54- Review all directory objects the account accessed after the conversion.
55"""
56references = [
57    "https://learn.microsoft.com/en-us/entra/external-id/user-properties",
58    "https://learn.microsoft.com/en-us/entra/identity/users/convert-external-users-internal",
59]
60risk_score = 47
61rule_id = "30090d40-cdfd-4750-a281-0125fdf22045"
62severity = "medium"
63tags = [
64    "Domain: Cloud",
65    "Domain: Identity",
66    "Data Source: Azure",
67    "Data Source: Microsoft Entra ID",
68    "Data Source: Microsoft Entra ID Audit Logs",
69    "Use Case: Identity and Access Audit",
70    "Tactic: Persistence",
71    "Resources: Investigation Guide",
72]
73timestamp_override = "event.ingested"
74type = "query"
75
76query = '''
77data_stream.dataset: "azure.auditlogs" and
78azure.auditlogs.operation_name: "Update user" and
79azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: "UserType" and
80azure.auditlogs.properties.target_resources.*.modified_properties.*.old_value: *Guest* and
81azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: *Member* and
82event.outcome: (Success or success)
83'''
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87
88[[rule.threat.technique]]
89id = "T1098"
90name = "Account Manipulation"
91reference = "https://attack.mitre.org/techniques/T1098/"
92
93[rule.threat.tactic]
94id = "TA0003"
95name = "Persistence"
96reference = "https://attack.mitre.org/tactics/TA0003/"