Guest Users Invited To Tenant By Non Approved Inviters

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.defense-evasion attack.initial-access attack.t1078 ·

Share on:

Detects guest users being invited to tenant by non-approved inviters

Sigma rule (View on GitHub)

 1title: Guest Users Invited To Tenant By Non Approved Inviters
 2id: 4ad97bf5-a514-41a4-abd3-4f3455ad4865
 3status: test
 4description: Detects guest users being invited to tenant by non-approved inviters
 5references:
 6    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
 7author: MikeDuddington, '@dudders1'
 8date: 2022-07-28
 9tags:
10    - attack.privilege-escalation
11    - attack.persistence
12    - attack.defense-evasion
13    - attack.initial-access
14    - attack.t1078
15logsource:
16    product: azure
17    service: auditlogs
18detection:
19    selection:
20        Category: 'UserManagement'
21        OperationName: 'Invite external user'
22    filter:
23        InitiatedBy|contains: '<approved guest inviter use OR for multiple>'
24    condition: selection and not filter
25falsepositives:
26    - If this was approved by System Administrator.
27level: medium

References

Microsoft Entra security operations for user accounts - Microsoft Entra

Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.

Read More

Guest Users Invited To Tenant By Non Approved Inviters

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for user accounts - Microsoft Entra

Related rules