Skip to content

Invite External User

Azure

Invite External User

service: Azure - Microsoft Entra ID
tactics:
techniques:

Event

Sends a B2B guest invitation to an external user, granting them access to the tenant’s resources.

Security Context

  • Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.

Log Source

Entra ID Audit Logs

Sample Event

Adversarial. Compromised User Administrator account draco@fantasticlogs.cloud invites an external attacker-controlled identity (outside.draco@evilcorp.example) as a guest user. The invited identity gets a guest user object in our tenant; once accepted, that guest can be added to groups, granted RBAC roles, etc. The invitation creates a new User (Guest) target resource in targetResources[0] and may include the inviter’s UPN in additionalDetails.

{
"id": "Directory_90000000-0000-4000-8000-000001110011_4F7E2_61082451",
"category": "UserManagement",
"correlationId": "90000000-0000-4000-8000-000001110011",
"result": "success",
"resultReason": "",
"activityDisplayName": "Invite external user",
"activityDateTime": "2026-04-15T19:51:08.4172395Z",
"loggedByService": "Core Directory",
"operationType": "Add",
"tenantId": "10000000-0000-4000-8000-000000000001",
"initiatedBy": {
"app": null,
"user": {
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"userPrincipalName": "draco@fantasticlogs.cloud",
"ipAddress": "203.0.113.66",
"userType": "Member",
"homeTenantId": "10000000-0000-4000-8000-000000000001",
"homeTenantName": null
}
},
"targetResources": [
{
"id": "30000000-0000-4000-8000-001010011100",
"displayName": "outside.draco_evilcorp.example#EXT#@fantasticlogs.cloud",
"type": "User",
"userPrincipalName": "outside.draco_evilcorp.example#EXT#@fantasticlogs.cloud",
"groupType": null,
"modifiedProperties": [
{
"displayName": "AccountEnabled",
"oldValue": "[]",
"newValue": "[true]"
},
{
"displayName": "DisplayName",
"oldValue": "[]",
"newValue": "[\"outside.draco\"]"
},
{
"displayName": "InvitedUserEmailAddress",
"oldValue": "[]",
"newValue": "[\"outside.draco@evilcorp.example\"]"
},
{
"displayName": "UserPrincipalName",
"oldValue": "[]",
"newValue": "[\"outside.draco_evilcorp.example#EXT#@fantasticlogs.cloud\"]"
},
{
"displayName": "UserType",
"oldValue": "[]",
"newValue": "[\"Guest\"]"
},
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "\"AccountEnabled, DisplayName, InvitedUserEmailAddress, UserPrincipalName, UserType\""
}
]
}
],
"additionalDetails": [
{
"key": "InvitedUserEmailAddress",
"value": "outside.draco@evilcorp.example"
},
{
"key": "User-Agent",
"value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)"
}
]
}

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.