Invite External User
Azure
Invite External User
Event
Sends a B2B guest invitation to an external user, granting them access to the tenant’s resources.
Security Context
- Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.
Log Source
Entra ID Audit Logs
Sample Event
Adversarial. Compromised User Administrator account draco@fantasticlogs.cloud invites an external attacker-controlled identity (outside.draco@evilcorp.example) as a guest user. The invited identity gets a guest user object in our tenant; once accepted, that guest can be added to groups, granted RBAC roles, etc. The invitation creates a new User (Guest) target resource in targetResources[0] and may include the inviter’s UPN in additionalDetails.
{ "id": "Directory_90000000-0000-4000-8000-000001110011_4F7E2_61082451", "category": "UserManagement", "correlationId": "90000000-0000-4000-8000-000001110011", "result": "success", "resultReason": "", "activityDisplayName": "Invite external user", "activityDateTime": "2026-04-15T19:51:08.4172395Z", "loggedByService": "Core Directory", "operationType": "Add", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "30000000-0000-4000-8000-001010011100", "displayName": "outside.draco_evilcorp.example#EXT#@fantasticlogs.cloud", "type": "User", "userPrincipalName": "outside.draco_evilcorp.example#EXT#@fantasticlogs.cloud", "groupType": null, "modifiedProperties": [ { "displayName": "AccountEnabled", "oldValue": "[]", "newValue": "[true]" }, { "displayName": "DisplayName", "oldValue": "[]", "newValue": "[\"outside.draco\"]" }, { "displayName": "InvitedUserEmailAddress", "oldValue": "[]", "newValue": "[\"outside.draco@evilcorp.example\"]" }, { "displayName": "UserPrincipalName", "oldValue": "[]", "newValue": "[\"outside.draco_evilcorp.example#EXT#@fantasticlogs.cloud\"]" }, { "displayName": "UserType", "oldValue": "[]", "newValue": "[\"Guest\"]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AccountEnabled, DisplayName, InvitedUserEmailAddress, UserPrincipalName, UserType\"" } ] } ], "additionalDetails": [ { "key": "InvitedUserEmailAddress", "value": "outside.draco@evilcorp.example" }, { "key": "User-Agent", "value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)" } ]}MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.