Critical

Guest Users in Admin Groups

Q: Why does it matter?

What this means One or more guest (external) users have been assigned to administrative roles or role-assignable groups in your tenant. Guest users are identities managed by another organisation. Why is it a security risk? You do not control the security posture of the guest's home tenant — their MFA, password policies, and conditional access are outside your jurisdiction. If the guest's home account is compromised, the attacker inherits administrative privileges in your tenant. This is flagged as Critical because admin-level access combined with external identity is the highest-risk combination. Recommended next steps Go to Microsoft Entra admin center → Roles and administrators and check each admin role for guest members. For each guest admin, determine if there is a business justification. In most cases, the guest should be removed from the admin role. If external admin access is genuinely needed, create a dedicated cloud-only account in your tenant instead of using a guest invitation. Apply Conditional Access policies targeting guest users to enforce MFA and restrict sign-in locations.

Identifies guest users assigned to administrative groups

Category: Identity
Default severity: Critical
Rule key: CHECK_GUEST_IN_ADMIN_GROUPS
Last updated: February 5, 2026

Why this matters

What this means

One or more guest (external) users have been assigned to administrative roles or role-assignable groups in your tenant. Guest users are identities managed by another organisation.

Why is it a security risk?

You do not control the security posture of the guest's home tenant — their MFA, password policies, and conditional access are outside your jurisdiction.
If the guest's home account is compromised, the attacker inherits administrative privileges in your tenant.
This is flagged as Critical because admin-level access combined with external identity is the highest-risk combination.

Recommended next steps

Go to Microsoft Entra admin center → Roles and administrators and check each admin role for guest members.
For each guest admin, determine if there is a business justification. In most cases, the guest should be removed from the admin role.
If external admin access is genuinely needed, create a dedicated cloud-only account in your tenant instead of using a guest invitation.
Apply Conditional Access policies targeting guest users to enforce MFA and restrict sign-in locations.

How to fix it

Remove guest users from administrative groups unless absolutely necessary

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Directory.Read.All
Group.Read.All

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →