A newly exposed risk in Microsoft Entra environments is allowing guest users to create and transfer subscriptions into external tenants, all while retaining full ownership. An invitation to another organization's Entra tenant allows a guest with the appropriate billing permissions from their home tenant to do this. Once inside, the guest can create subscriptions in their home tenant and seamlessly transfer them, maintaining privileged access.
This tactic operates outside the boundaries of standard Entra Directory or Azure RBAC roles, exploiting overlooked billing roles that exist beyond typical identity and access management controls.
The Hidden Attack Path: Exploiting Billing Roles for Privilege Escalation
While most security teams concentrate on directory and RBAC roles, they often overlook billing roles at the account level. A user with billing privileges can spin up or transfer subscriptions into a target tenant and automatically receive owner-level access.
This bypasses conventional permission reviews and creates a stealthy foothold for attackers. Since guest access is often considered low-risk, many organizations fail to monitor or restrict these actions, leaving their environments exposed to lateral movement and persistent threats.
Did you know?
Billing roles in Azure operate outside the traditional Entra directory and RBAC boundaries, giving users with these privileges unexpected power to create and control subscriptions in external tenants.
Real-World Impact: What Attackers Can Do with a Guest-Owned Subscription
Once an attacker gains ownership of a subscription within a target tenant, they can carry out a wide array of malicious activities. They can enumerate privileged accounts, weaken or disable Azure security policies, and create user-managed identities that persist beyond the original guest account.
Attackers may also register devices and manipulate conditional access policies, blending their presence with legitimate users and evading detection. These capabilities enable sophisticated reconnaissance, persistence, and privilege escalation, all under the radar of standard security monitoring.
ALSO READ | Keylogger Injections on Microsoft Exchange Servers Threaten Global Government and Corporate Cybersecurity
Why Guest Subscription Creation Is a Growing Concern for Enterprise Security
This attack vector is not hypothetical. Researchers have observed attackers actively abusing guest-based subscription creation in the wild. B2B scenarios, where tenants federate across organizations and default settings permit broad guest invitations, heighten the risk.
Because these actions fall outside expected guest capabilities, many security teams remain unaware of the threat, making it dangerously accessible and under-recognized within the broader identity threat landscape.
Mitigations and the Path Forward for Entra Security
To defend against this threat, organizations must take proactive steps. Microsoft provides subscription policies to block guests from transferring subscriptions, and these should be enabled immediately. Additional best practices include auditing all guest accounts, disabling guest-to-guest invitations, monitoring for unexpected subscriptions, and reviewing device access policies.
Leveraging identity security tools that flag guest-created subscriptions can provide crucial visibility. Ultimately, organizations must re-examine their trust models and governance to address the evolving risks posed by guest accounts and inherited billing rights.
Comments (0)
Please sign in to leave a comment
No comments yet. Be the first to share your thoughts!