How Entra Guest Users Can Exploit Microsoft Billing Permissions for Stealth Lateral Movement

Inviting external guest users is a common and useful practice for collaboration with external partners, but BeyondTrust researchers discovered that Entra guest users with the right billing roles can create subscriptions and become Owners—without any explicit permissions in the target tenant. This stealthy lateral movement tactic allows a guest user to gain a foothold in an environment where they should only have limited access.

In this webinar, Simon Maxwell-Stewart, Sr Security Researcher at BeyondTrust, breaks down:

• How little-known Microsoft Billing permissions can be misused by Entra guest users to create subscriptions in external tenants where they hold no direct privileges.
• How attackers can exploit this unexpected access to achieve unauthorized reconnaissance and persistence in the defender’s Entra ID.
• How some of these methods could lead to privilege escalation in certain scenarios.

Watch as we walk through real-world abuse paths, explore why this gap in access control is so dangerous, and outline what defenders need to know now.

Act Now! Get a Red-Team Assessment of your Identity Infrastructure. Request a FREE Identity Security Risk Assessment and get a snapshot of your identity security risks at no cost or obligation.