Entra ID Guest Account Promoted to Member

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Entra ID Guest Account Promoted to Member

Identifies Entra ID user accounts converted from Guest to Member type via an Update user operation. A Guest-to-Member conversion grants the account full directory read access, removes external-identity Conditional Access restrictions, and makes the account indistinguishable from an internal employee. An attacker who compromises a guest account and promotes it to Member type gains persistent tenant access without triggering role assignment alerts.

Rule type: query

Rule indices:

logs-azure.auditlogs-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Domain: Identity
Data Source: Azure
Data Source: Microsoft Entra ID
Data Source: Microsoft Entra ID Audit Logs
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic
descambiado

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Entra ID Guest Account Promoted to Member

A Guest-to-Member UserType conversion is a rarely needed, high-impact operation that removes all guest account restrictions. In most tenants it occurs fewer than once per month.

Possible investigation steps

Identify the administrator who performed the conversion (azure.auditlogs.properties.initiated_by) and verify whether the action was authorized.
Check when the guest account was originally invited: look for "Invite external user" in AuditLogs with the same target object ID.
Review post-conversion sign-in activity in azure.signinlogs.* for the target account — look for directory enumeration patterns (access to Graph API /users, /groups, /applications).
Check whether the converting actor’s role was recently granted and whether other high-privilege operations were performed around the same time.

False positive analysis

Planned B2B-to-member migrations coordinated by HR or IT should be documented in change records. Confirm via ticket correlation before closing.

Response and remediation

Revert the UserType to Guest if unauthorized: Entra ID > Users > Edit properties.
Revoke all sessions for the affected account.
Review all directory objects the account accessed after the conversion.

Rule query

edit

data_stream.dataset: "azure.auditlogs" and
azure.auditlogs.operation_name: "Update user" and
azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: "UserType" and
azure.auditlogs.properties.target_resources.*.modified_properties.*.old_value: *Guest* and
azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: *Member* and
event.outcome: (Success or success)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/

« Entra ID Global Administrator Role Assigned (PIM User) Entra ID High Risk Sign-in »