« Azure VM Serial Console Connection with Unusual User and ASN Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN »
Elastic Docs Elastic Security [8.19] Downloadable rule update v8.19.26

Entra ID Guest Account Promoted to Member

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Entra ID Guest Account Promoted to Member

edit

Identifies Entra ID user accounts converted from Guest to Member type via an Update user operation. A Guest-to-Member conversion grants the account full directory read access, removes external-identity Conditional Access restrictions, and makes the account indistinguishable from an internal employee. An attacker who compromises a guest account and promotes it to Member type gains persistent tenant access without triggering role assignment alerts.

Rule type: query

Rule indices:

  • logs-azure.auditlogs-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: Identity
  • Data Source: Azure
  • Data Source: Microsoft Entra ID
  • Data Source: Microsoft Entra ID Audit Logs
  • Use Case: Identity and Access Audit
  • Tactic: Persistence
  • Resources: Investigation Guide

Version: 1

Rule authors:

  • Elastic
  • descambiado

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Entra ID Guest Account Promoted to Member

A Guest-to-Member UserType conversion is a rarely needed, high-impact operation that removes all guest account restrictions. In most tenants it occurs fewer than once per month.

Possible investigation steps

  • Identify the administrator who performed the conversion (azure.auditlogs.properties.initiated_by) and verify whether the action was authorized.
  • Check when the guest account was originally invited: look for "Invite external user" in AuditLogs with the same target object ID.
  • Review post-conversion sign-in activity in azure.signinlogs.* for the target account — look for directory enumeration patterns (access to Graph API /users, /groups, /applications).
  • Check whether the converting actor’s role was recently granted and whether other high-privilege operations were performed around the same time.

False positive analysis

  • Planned B2B-to-member migrations coordinated by HR or IT should be documented in change records. Confirm via ticket correlation before closing.

Response and remediation

  • Revert the UserType to Guest if unauthorized: Entra ID > Users > Edit properties.
  • Revoke all sessions for the affected account.
  • Review all directory objects the account accessed after the conversion.

Rule query

edit
data_stream.dataset: "azure.auditlogs" and
azure.auditlogs.operation_name: "Update user" and
azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: "UserType" and
azure.auditlogs.properties.target_resources.*.modified_properties.*.old_value: *Guest* and
azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: *Member* and
event.outcome: (Success or success)

Framework: MITRE ATT&CKTM

« Azure VM Serial Console Connection with Unusual User and ASN Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN »