Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • Restless Guests: The True Entra B2B Guest Threat Model current page
Link copied

Restless Guests: The True Entra B2B Guest Threat Model

May 28, 2025

BeyondTrust researchers discovered that Entra guest users with the right billing roles can create subscriptions and become Owners—without any explicit permissions in the target tenant. This blog unpacks how attackers could abuse this by-design behavior to pivot, persist, and potentially escalate privilege inside Microsoft Entra environments. Learn what’s at stake, how this technique works, and what defenders should do next.

Author:
Simon Maxwell Stewart Headshot 2024
Simon Maxwell-Stewart
Staff Security Researcher
Restless Guests
Restless Guests: The True Entra B2B Guest Threat Model
Simon Maxwell Stewart Headshot 2024
Simon Maxwell-Stewart
Staff Security Researcher

The Entra Access Flaw Hiding in Plain Sight

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

Inviting external guest users is a common and useful practice for collaboration with external partners. These guest accounts are typically assigned limited privileges to reduce risk in the event they become compromised, but they exist outside of your organization's controls. This guest behavior may surprise Azure administrators because typical threat models and best practices don’t account for an unprivileged guest creating their own subscription within your tenant.

In this blog, we’ll break down how little-known Microsoft Billing permissions can be misused by Entra guest users to create subscriptions in external tenants where they hold no direct privileges. You’ll learn how attackers can exploit this unexpected access to achieve unauthorized reconnaissance and persistence in the defender’s Entra ID. We also detail how some of these methods could lead to further privilege escalation in certain scenarios. We’ll walk through real-world abuse paths, explore why this gap in access control is so dangerous, and outline what defenders need to know now.

In other words, the guest you invited could quickly overstay their welcome.

Azure & Entra ID Basics

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

The basics of Entra and Azure permissions are well documented. Entra ID is an Identity Provider (IdP) within Azure. It allows identities to be assigned directory roles, like Global Administrator, which allow administration of different aspects of the directory.

Figure 1-EntraID basic privilege model

Azure resources are logically isolated into subscriptions, and users inside Entra can also be assigned RBAC roles that allow them to administer the resources inside a particular subscription.

Figure 2 - Azure Resources basic privilege model

However, there’s an entirely parallel set of lesser-known permissions that relate to billing management and subscription creation. When considering best practices for locking down Entra ID or performing an Azure threat model, the focus is generally on administrative permissions, not billing permissions. This is especially true when thinking about restricting external guest accounts.

Billing Agreements

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

Microsoft offers many ways to pay for an Azure subscription, but we are going to focus on two: Enterprise Agreements (EA) and Microsoft Customer Agreements (MCA).

Enterprise Agreements are three-year agreements for commercial organizations to purchase Microsoft products and services, now considered legacy. Microsoft Customer Agreements are a transactional, volume-based licensing agreement that can cover multiple licensing agreements all under one account. Both allow you to create Microsoft infrastructure, like Azure subscriptions, and govern how that gets billed.

Critically, pay-as-you-go licensing also falls under an ad-hoc MCA. This means the typical tenant and subscription an individual might create with a credit card falls under an MCA and in our case, can be used to abuse the misconfigurations we’ll be discussing.

Enterprise Agreements

EAs are comprised of three different components. The enrollment is at the top of the hierarchy and represents the agreement you have with Microsoft. The enrollment can optionally be sub-divided into different departments. These departments can then contain accounts, which is what subscriptions will be ultimately billed against.

Figure 3 - Enterprise Agreement billing privilege model

The available Azure Enterprise Agreement roles are as follows. EA billing roles can only be assigned to individual user accounts. A large percentage of the billing roles can create subscriptions, shown below:

Billing Role Summary Ability to Create Subscription
Enterprise Administrator View and manage all aspects of the EA Yes
EA Purchaser Can purchase Azure services, but aren't allowed to manage accounts No
Department Administrator View and manage all aspects of the department, and add account owners Not directly, but added account owners can
Account Owner Create, view and manage subscriptions Yes

NA

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

Microsoft Customer Agreement

MCAs work differently than EAs. The account represents the agreement you have with Microsoft and is at the top of the hierarchy. The account can contain many billing profiles, where credit cards can be associated to different profiles. These profiles can then be organized using invoice sections, which map to different subscriptions that will be billed to these invoice sections.

Figure 4 - Microsoft Customer Agreement billing privilege model

The available Azure Microsoft Customer Agreement roles are as follows. A larger percentage of the billing roles can create subscriptions, shown below:

Billing Role Summary Ability to Create Subscription
Billing account owner Manage everything for billing account Yes
Billing account contributor Manage everything except permissions on the billing account Yes
Billing account reader Read-only view of everything on billing account No
Billing profile owner Manage everything for billing profile Yes
Billing profile contributor Manage everything except permissions on the billing profile Yes
Billing profile reader Read-only view of everything on billing profile No
Invoice Manager View and pay invoices for billing profile No
Invoice Section owner Manage everything on invoice section Yes
Invoice Section contributor Manage everything except permissions on the invoice section Yes
Invoice Section reader Read-only view of everything on the invoice section No
Azure Subscription Creator Create Azure subscriptions Yes

Why Do Billing Permissions Matter?

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

An initial assumption is that these permissions are limited to the guest user’s home tenant. Overlapping permission models mean their effects can reach far beyond that scope. A user with one of these billing roles can create/move a subscription to ANY tenant they are a part of, including tenants they are merely a guest in. There are controls that prevent this behavior, but they are not the default settings.

Figure 5 - Guest made subscription in resource tenant

The EA/MCA billing roles are assigned at the billing account level, which exists separately from the Entra directory. Because billing roles permit subscription creation, they also allow the user to create and transfer subscriptions into a tenant where they are merely a guest. This becomes particularly problematic when the two tenants are not controlled by the same organization, which is the most common use case for B2B guest accounts.

BeyondTrust researchers also validated that the Owner assignment over a subscription allows a guest to transfer these subscriptions into the tenant they are invited into, while retaining ownership over the subscription.

To recap, if you invite an external guest account into your organization’s Entra tenant, and that account holds an EA or MCA billing role or owns a subscription their home tenant, they can transfer subscriptions into your tenant, all while retaining ownership over them. This is true for external guest users who exist in pay-as-you-go Azure tenants that an attacker could spin up in just a few minutes.

Figure 6 - Guest becomes owner of guest made subscription

Microsoft’s Response

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

When we first brought this issue to Microsoft’s attention on 2024/10/31, they confirmed this is the expected behavior. They explained that that this was a requested feature to allow guest accounts to create subscriptions in other Entra tenants; everything was working as intended. They directed BeyondTrust to policies that prevent subscription transfers and have provided some documentation on how these controls work. Microsoft pointed out that guests are billed for any resources they create, not allowing for cost offloading. They also stated that subscriptions act as a security boundary so in theory their ability to impact the rest of your tenant should be limited.

Inside the Attack: How Restless Guests Exploit Entra Access

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

We will now demonstrate how this attack works from the Azure portal.

We begin with an Entra tenant that the attacker has created and controls using a free Azure trial. Within this tenant, we’ve assigned the ”Simon” identity the Account Owner billing role under the ‘Cost Management + Billing’ section.

Figure 7 - Entra ID Billing account access control

Now, let’s invite our “attacker” account into our “defender” Entra tenant as a guest user. While in this case we are using an attacker-created tenant, this could also occur if a third-party tenant with guest accounts in your environment were compromised.

Fig 8 – Guest account is invited into a separate tenant

"Simon” is invited as a B2B guest user by our separate “defender” tenant, which represents a separate organization outside of the attacker’s control. You can see that our Simon external guest account has no group memberships, roles, or applications assigned to it.

It is also important to point out that the value of the identities field is “MicrosoftAccount”, which means the user is federating into this guest tenant from an existing Microsoft account. The same attack works when the value of the identities field is “ExternalAzureAD”, which means the guest user is federating from another AzureAD tenant.

Because “Simon” is a Billing Owner of the billing account associated with their home tenant, the attacker can create subscriptions in the tenant they’re a guest in using the standard Azure Portal UI. When creating a subscription for their home directory, under the advanced settings, they have the option to choose any tenant they are a part of.

We can now see the new, attacker-controlled subscription created, and that the attacker has the Owner role in this subscription.

Figure 9 - Guest creating a subscription in invited tenant

Subscription Creation Exploit Summary: Step-by-Step

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

In summary, here are the key steps an attacker can take to reproduce the behavior and gain elevated access using an unprivileged Entra guest account:

  1. Attacker gets control of a user with a billing role that can create subscriptions / owner of a subscription in a tenant, either by:
    1. Creating their own Entra tenant using an Azure free trial (the user they signed up with will be a Billing Account owner)
    2. Or, by compromising an existing user in a tenant who already has a privileged billing role / subscription ownership
  2. Attacker gets an invite to become a guest user in their target Entra tenant.
  3. Attacker logs into the Azure Portal, goes into their own home directory – which they control completely.
  4. Attacker navigates to Subscriptions > Add +.
  5. Attacker switches to the “Advanced” tab and sets the defender’s directory as the target directory.
  6. Attacker creates subscription. No subscription will appear in the attacker tenant. Instead, the subscription appears in the defender tenant, under the root management group.
  7. Attacker will automatically be assigned the RBAC Role of “Owner” for this subscription.

The Risks of Guest-Controlled Subscription Creation: What a Malicious Guest Can Do with a New Subscription

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

The feature Microsoft has created here makes sense: some organizations have many tenants, and there are use cases where users with one home directory need to create subscriptions in others they are simply a guest in. The problem lies in the default behavior: if this capability were opt-in—meaning guests were blocked from creating subscriptions by default—the risk would be significantly reduced, and this wouldn’t pose a security concern.

Proof-of-Concept Attacks: Exploring the Guest Subscription Escalation Path

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

To understand the real-world impact of this issue, it’s important to see how attackers can weaponize guest access to create and control subscriptions. The following proof-of-concept scenarios show how a seemingly low-privilege guest can create a subscription, become an Owner, and use that position to compromise your tenant. Through this access, the attacker can perform actions that would normally be blocked by their limited role, including:

  • Listing root management group administrators
  • Weakening the default Azure policy tied to the subscription
  • Creating a user-managed identity in the Entra ID directory to establish stealthy persistence
  • Registering Microsoft Entra-joined devices that could escalate privilege via dynamic device groups

These actions fall outside what most Azure administrators expect a guest user to be capable of, making this privilege escalation pathway both under-recognized and dangerously accessible.

Scenario 1: Listing Root Management Group Admins

In many tenant configurations, guest users have zero permissions to list other users within a tenant. One of the initial actions an attacker can take is to view the “Access Control” (IAM) role assignments on the subscription they’ve created. Any administrators assigned at the root management group level of the tenant will be inherited by that subscription the attacker controls and appear in the role assignments view.

In other words, a guest user can passively enumerate high-value privileged accounts simply by inspecting the IAM settings of their own subscription. The names and UPNs of these admins are now exposed, making them ideal targets for follow-on attacks and social engineering.

Figure 10- Guest user enumerating principals with roles over the root management group

We believe that this represents an interesting reconnaissance technique. Most Azure administrators wouldn’t expect an unprivileged guest in their Entra ID directory to be able to enumerate privileged users at all. But through the subscription-creation attack, that visibility becomes possible.

Figure 11 – Policy control to prevent enumeration technique

Scenario 2: Weakening Azure Policy

By default, all subscriptions (and their resources) are governed by Azure policies that are designed to enforce security standards and trigger alerts when violations occur. For example, policies may generate alerts when virtual machines are configured with weak security settings or run known malicious tools inside the tenant.

However, when a guest becomes a subscription Owner, they have full write permissions to all policies that apply to their subscription. This means the attacker can modify or disable the policies applied to their subscription, effectively muting security alerts that would otherwise notify defenders of suspicious or non-compliant activity.

This control gap allows the attacker to operate within a rogue subscription with reduced visibility from security monitoring tools. From this foothold, they can perform malicious activities or target external systems—all while remaining under the radar. This is very useful for some of the other techniques listed below.

Figure 12 - Guest can change Azure policies that apply to resources inside subscription

Scenario 3: Creating User-Managed Identities

A guest user with subscription Owner permissions can create a User-Managed Identity within their subscription. Managed Identities are typically used to assign identities to Azure resources for service-to-service authentication, allowing them to act as security principals with assigned roles and permissions.

This becomes a powerful attack vector because creating a Managed Identity also creates a service principal identity in the shared Entra ID directory (referred to as an “enterprise application” in the UI). That means the guest user—through their subscription—has introduced a new identity into the tenant directory itself, extending their influence beyond the boundaries of the subscription.

Notably, the lifecycle of this service principal is not strictly tied to the attacker subscription. With the right permissions, it could interact with other subscriptions or the Entra directory directly.

To escalate further, the attacker can also assign this Managed Identity as the Owner of the previously made guest subscription. This means the managed identity gets to retain all privilege the guest user originally had, giving the attacker a durable foothold in the environment, independent of their guest account. This kind of identity pivoting is a common persistence technique, allowing the attacker to hide in plain sight, away from the guest account.

Figure 13 - Guest made Managed Identity

Going further, the attacker can deepen that persistence using a known attack perimeter: adding federated credentials to the Managed Identity. These credentials can allow external actors or systems to authenticate as the identity, even after the original guest account is removed.

Fig 14 - A guest made account adding federated credentials to the Managed Identity

Another reason the managed identity creation technique is so appealing to attackers is the API permission model. Service principals often require API Permissions to perform actions in the directory—but API permissions don’t benefit from the same privilege escalation protections that limit directory roles. Practically speaking, this service principal is a single misconfiguration away from obtaining a privileged directory role. One accidental API permission assignment like “RoleManagement.ReadWrite.Directory” to Microsoft Graph would be enough to grant Global Administrator-level control.

The good news for defenders: by default, service principals are locked down and have no real access unless explicitly granted. However, attackers could exploit this by launching targeted API permission phishing attacks, tricking legitimate admins into granting this managed identity elevated privileges. The service principal would appear like a legitimate Enterprise Application, and it would not be immediately apparent that a rogue guest is in control of it.

Scenario 4: Tenant-Joined Devices

Guest users with subscription Owner permissions can also create Azure resources that appear as “joined” devices in the Entra ID tenant. One technique involves creating a Virtual Machine (VM) and enabling the “Azure AD-based Windows Login” VM extension during setup.

Figure 15 shows a VM extension for Entra ID based Windows Login

When configured this way, the VM is automatically registered as a “device principal” in Entra ID > Devices.

Fig 16 - The VM is automatically registered as a “device principal” in Entra ID > Devices

While we will demonstrate how an attacker is able to steal the private certificate of a device like this in a future blog, it’s important to note that this attack path potentially allows for the abuse of conditional access policies. As detailed by this article: Stealing and faking Azure AD device identities, attackers may be able to exfiltrate the private certificate used to authenticate the device, granting them trusted access under the guise of a legitimate machine.

Figure 17 - Inside a VM that is joined to the directory as a device

Conditional access policies often depend on device trust, which can be established by dynamic groups. For example, an organization might configure dynamic groups like “Windows Workstations” or “VPN Machines” with membership rules, such as:

(device.displayName -startsWith “WORKSTATION”) and (device.image -eq “windows 10”)

Because the attacker controls many properties of the device, like it’s display name and operating system, they can use prior knowledge or simply experiment with different VM configurations to brute force membership into trusted groups. If successful, this may allow the attacker to abuse Conditional Access Policies and gain unauthorized access to trusted assets.

This represents a device-based variant of a known dynamic group exploit previously seen in user object targeting. BeyondTrust’s Identity Security Insights® product helps to uncover many such misconfigured dynamic groups that unintentionally expose hidden Paths to Privilege™. Organizations should be careful with these kinds of setups.

Defending against Restless Guests

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

BeyondTrust has observed attackers actively abusing guest-based subscription creation in the wild, which makes proactive defense critical.

To mitigate this behavior, Microsoft allows organizations to configure Subscription Policies to block guests from transferring subscriptions into their tenant. This setting restricts subscription creation to explicitly permitted users only, and Microsoft has published supporting documentation for this control.

Figure 18 - Subscription policies that by default allow anyone, including guests, to transfer subscriptions into directory

In addition to enabling this policy, we recommend the following actions:

  • Audit all guest accounts in your environment and remove those that are no longer required
  • Harden guest controls as much as possible: for instance, disable guest-to-guest invitations
  • Monitor all subscriptions in your tenant regularly to detect unexpected guest-created subscriptions and resources
  • Monitor all Security Center alerts in the Azure Portal; some may appear even if the visibility is inconsistent
  • Audit device access, especially if these utilize dynamic group rules.
Figure 19 - Security Center displaying a warning that guest accounts have owner permission on Azure resources

To assist defenders, BeyondTrust Identity Security Insights provides built-in detections to flag subscriptions created by guest accounts, offering automated visibility into these unusual behaviors. To gain a snapshot of potential identity-based risks in your environment, including those introduced through guest access, BeyondTrust also offers a no-cost Identity Security Risk Assessment.

BeyondTrust Identity Security Insights customers can gain a holistic view of all identities across their entire identity fabric. This includes gaining a consolidated understanding of Entra guest accounts and their True Privilege™. We highly recommend customers of Insights regularly review Guest accounts that have high levels of true privilege.

Below is an example filter:

Figure 20 – Insights account filter for privileged Entra ID guest accounts

Conclusion

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

This research invites a broader re-evaluation of how organizations model threats associated with Entra ID guest accounts. In our view, the current threat model is yet to be fully understood by Entra customers.

BeyondTrust continues to research the true blast radius of device-based attacks, including how these techniques interact with other services, such as Intune, and whether multi-stage attacks could further escalate guest privileges. From a defender’s perspective, it’s critical to fully understand both the default behaviors and limitations of available controls to secure against this class of exploitation.

While more work is required to understand the true implications of this updated threat model, what we already know is concerning: any guest account federated into your tenant may be a privilege escalation pathway. The risk is not hypothetical—it is present, active, and largely under the radar.

We suspect many organizations leveraging Entra ID B2B Guest features are unaware of the possible privilege escalation paths that this feature inadvertently enables. Now is the time to re-examine your guest access policies, visibility tools, and subscription governance models—before these Restless Guests take advantage.

Sources

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied
  • https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/ -- Achieving persistence with Managed Identities and federated credentials
  • https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/ - Abusing dynamic groups of users in Entra ID
  • https://aadinternals.com/post/devices/ - Deep dive into devices in Entra ID
  • https://aadinternals.com/post/deviceidentity/ - How device identities can be faked and stolen in Entra ID
  • https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/understand-ea-roles
  • https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/understand-mca-roles

About the Author

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied
Simon Maxwell Stewart Headshot 2024
Simon Maxwell-Stewart
Staff Security Researcher

Simon Maxwell-Stewart is a University of Oxford physics graduate with over a decade of experience in the big data environment. Before joining BeyondTrust, he worked as a Lead Data Scientist in healthcare, and successfully brought multiple machine learning projects into production. Now working as a "resident graph nerd" on BeyondTrust's security research team, Simon applies his expertise in graph analysis to help drive identity security innovation.

Further Insights from the BeyondTrust Research Team

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied
Blog
Pwning AI Code Interpreters in AWS Bedrock AgentCore
Blog
“Evil VM”: How Attackers Escalate from Guest Access to Entra Admin In 9 Easy Steps
Blog
How to Detect Session Hijacking Before It’s Too Late: A Data Science & Behavioral Modeling Approach
Blog
A Guide to Using Longitudinal Data Analysis for Improved Identity Threat Detection
Blog
AD CS 101: Introduction to Active Directory Certificate Services & How to Detect and Mitigate ESC1 Attacks
Blog
AD CS 102: How to Detect and Mitigate ESC4 Attacks on Active Directory Certificate Services
Latest Posts
  • Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Jun 9, 2026 Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Blog
    6m
  • Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Jun 8, 2026 Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Blog
    5m
  • The Most Common & Most Dangerous Types of Shadow IT
    Jun 5, 2026 The Most Common & Most Dangerous Types of Shadow IT
    Blog
    19m
  • 14 Password Management Best Practices
    May 28, 2026 14 Password Management Best Practices
    Blog
    12m
  • A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    May 26, 2026 A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    Blog
    3m
Related
  • Ransomware: A Problem of Excesses (Access, Privileges, Vulnerabilities)
    Nov 21, 2019 Ransomware: A Problem of Excesses (Access, Privileges, Vulnerabilities)
    Blog
    1m
  • No Shortage of Highlights at McAfee MPOWER
    Oct 4, 2019 No Shortage of Highlights at McAfee MPOWER
    Blog
    1m
Share this Article
  • Link
Tags
  • BeyondTrust Labs
  • BeyondTrust Phantom Labs
  • BeyondTrust Research Team
  • Entra Threat Model
  • Guest Account Threats
  • Microsoft Ecosystem
  • Microsoft Entra environments
  • Microsoft Vulnerabilities
  • Paths To Privilege
  • Privilege Escalation Attack
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.
MS Vulns Report 2026 orange background 1

New: 2026 Microsoft Vulnerabilities Report

Access the report for expert analysis of Microsoft's vulnerability and security landscape, breaking down key trends, security shifts, emerging risks—and what it all means for you.

Get the Report

New: 2026 Microsoft Vulnerabilities Report: Access the report for expert analysis of Microsoft's vulnerability and security landscape, breaking down key trends, security shifts, emerging risks—and what it all means for you.

Get the Report