Beware the Hidden Risk in Your Entra Environment

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.

A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.

All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access.

Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource tenant. It can allow a threat actor to achieve unauthorized reconnaissance and persistence in the defender's Entra ID, and advance privilege escalation in certain scenarios.

Typical threat models and best practices don't account for an unprivileged guest creating their own subscription within your tenant, so this risk may not only exist outside your organization's controls; it may be off your security team's radar as well.

How to Compromise Your Entra ID Tenant with a Guest User Account

Guest-made subscription footholds exploit the fact that Microsoft's billing permissions (Enterprise Agreement or Microsoft Customer Agreement) are scoped at the billing account, not the Entra directory. Most security teams think about Azure permissions as either Entra Directory Roles (such as Global Administrator) or Azure RBAC Roles (such as Owner). But there is another set of permissions that get overlooked: Billing Roles.

While Entra Directory and Azure RBAC Roles focus on managing permissions around identities and access to resources, Billing roles operate at the billing account level, which exists outside the well-understood Azure tenant authentication and authorization boundaries. A user with the right billing role can spin up or transfer subscriptions from their home tenant to gain control inside a target tenant, and a security team that is strictly auditing Entra Directory roles won't gain visibility of these subscriptions in a standard Entra permission review.

When a B2B guest user is invited to a resource tenant, they access the tenant via federation from their home tenant. This is a cost-saving measure, the trade-off being that your tenant cannot enforce auth controls like MFA. As such, defenders usually try to limit the privileges and access of guests as they are inherently less securable. However, if the guest has a valid billing role in their home tenant, they can use it to become a subscription owner inside Azure.

This is also true for guest users who exist in pay-as-you-go Azure tenants that an attacker could spin up in just a few minutes. And, by default, any user, including guests, can invite external users into the directory. This means an attacker could leverage a compromised account to invite in a user with the correct billing permissions into your environment.

How an Attacker can Gain Elevated Access Using an Unprivileged Entra Guest Account:

1. Attacker gets control of a user with a billing role that can create subscriptions / owner of a subscription in a tenant, either by:
   1. Creating their own Entra tenant using an Azure free trial (the user they signed up with will be a Billing Account owner)
   2. Or, by compromising an existing user in a tenant who already has a privileged billing role / subscription ownership
2. Attacker gets an invite to become a guest user in their target Entra tenant. By default, any user or guest can invite a guest into the tenant.
3. Attacker logs into the Azure Portal, goes into their own home directory – which they completely control.
4. Attacker navigates to Subscriptions > Add +.
5. Attacker switches to the "Advanced" tab and sets the defender's directory as the target directory.
6. Attacker creates subscription. No subscription will appear in the attacker tenant. Instead, the subscription appears in the defender tenant, under the root management group.
7. Attacker will automatically be assigned the RBAC Role of "Owner" for this subscription.

Real-World Risk: What a Restless Guest Can Do with a New Subscription

Once an attacker has a subscription with Owner permissions within another organization's tenant, they can use that access to perform actions that would normally be blocked by their limited role. These include:

• Listing Root Management Group Administrators - In many tenant configurations, guest users have zero permissions to list other users within a tenant; however, following a guest subscription attack, that visibility becomes possible. The guest Owner can view the "Access Control" role assignments on the subscription they've created. Any administrators assigned at the root management group level of the tenant will be inherited and will appear in the role assignments view of the subscription, exposing a list of high-value privileged accounts that are ideal targets for follow-on attacks and social engineering.
• Weakening the Default Azure Policy Tied to the Subscription - By default, all subscriptions (and their resources) are governed by Azure policies designed to enforce security standards and trigger alerts when violations occur. However, when a guest becomes a subscription Owner, they have full write permissions to all policies that apply to their subscription and can modify or disable them, effectively muting security alerts that would otherwise notify defenders of suspicious or non-compliant activity. This further reduces visibility from security monitoring tools, allowing the attacker to perform malicious activities or target external systems under the radar.
• Creating a User-Managed Identity in the Entra ID Directory - A guest user with subscription Owner permissions can create a User-Managed Identity, a special Azure identity that lives in the Entra directory, but is linked to cloud workloads, within their subscription. This identity can:
  • Persist independently of the original guest account
  • Be granted roles or permissions beyond the subscription
  • Blend in with legitimate service identities, making detection harder
  • Launch a targeted API permission phishing attack to trick legitimate admins into granting this managed identity elevated privileges.
• Registering Microsoft Entra-Joined Devices and abusing Conditional Access Policies - Azure allows trusted devices to be registered and joined to Entra ID. An attacker can register devices under their hijacked subscription and have them appear as compliant corporate devices. Many organizations use dynamic device groups to auto-assign roles or access based on device status (e.g., "all users on compliant laptops get access to X"). By spoofing or registering a device, an attacker could abuse Conditional Access Policies and gain unauthorized access to trusted assets. This represents a device-based variant of a known dynamic group exploit^[1] previously seen in user object targeting. BeyondTrust's Identity Security Insights product has helped customers uncover many similar misconfigured dynamic groups that unintentionally expose hidden Paths to Privilege™.

Why Guest Subscription Creation Is a Growing Concern for Entra Security

While more work is required to understand the true implications of this updated threat model, what we already know is concerning: any guest account federated into your tenant may represent a path to privilege. The risk is not hypothetical. Researchers at BeyondTrust have observed attackers actively abusing guest-based subscription creation in the wild. The threat is present, active, and the real danger here lies in the fact that it's largely under the radar.

These actions fall outside what most Azure administrators expect a guest user to be capable of. Most security teams don't account for guest users being able to create and control subscriptions. As a result, this attack vector often falls outside of typical Entra threat models, making this path to privilege under-recognized, unexpected, and dangerously accessible.

This attack vector is extremely common in B2B scenarios, where home and resource tenants are often controlled by different organizations. We suspect many organizations leveraging Entra ID B2B Guest features are unaware of the possible paths to privilege that this feature inadvertently enables.

Mitigations: How to Prevent Guest Subscription Accounts from Gaining a Foothold

To mitigate this behaviour, Microsoft allows organizations to configure Subscription Policies to block guests from transferring subscriptions into their tenant. This setting restricts subscription creation to explicitly permitted users only, and Microsoft has published supporting documentation^[2] for this control.

In addition to enabling this policy, we recommend the following actions:

1. Audit all guest accounts in your environment and remove those that are no longer required
2. Harden guest controls as much as possible: for instance, disable guest-to-guest invitations
3. Monitor all subscriptions in your tenant regularly to detect unexpected guest-created subscriptions and resources
4. Monitor all Security Center alerts in the Azure Portal; some may appear even if the visibility is inconsistent
5. Audit device access, especially if these utilize dynamic group rules.

To assist defenders, BeyondTrust Identity Security Insights provides built-in detections to flag subscriptions created by guest accounts, offering automated visibility into these unusual behaviors.

BeyondTrust Identity Security Insights customers can gain a holistic view of all Identities across their entire identity fabric. This includes gaining a consolidated understanding of Entra Guest accounts and their True Privilege™.

The Bigger Picture: Identity Misconfigurations Are the New Exploits

Guest-made subscription compromise isn't an anomaly; it's a stark example of the many overlooked identity security weaknesses that can undermine the modern enterprise environment, if not adequately addressed. Misconfigurations and weak default settings are prime access points for threat actors who are looking for the hidden paths into your environment.

It isn't just your admin accounts that need to be included in your security policies anymore. B2B trust models, inherited billing rights, and dynamic roles mean that every account is a potential launch point for privilege escalation. Re-examine your guest access policies, visibility tools, and subscription governance models now, before these Restless Guests take advantage.

To gain a snapshot of potential identity-based risks in your environment, including those introduced through guest access, BeyondTrust offers a no-cost Identity Security Risk Assessment.

Note: This article is expertly written and contributed by Simon Maxwell-Stewart, Senior Security Researcher at BeyondTrust. Simon Maxwell-Stewart is a University of Oxford physics graduate with over a decade of experience in the big data environment. Before joining BeyondTrust, he worked as a Lead Data Scientist in healthcare, and successfully brought multiple machine learning projects into production. Now working as a "resident graph nerd" on BeyondTrust's security research team, Simon applies his expertise in graph analysis to help drive identity security innovation.