How does EchelonGraph detect CIS Azure 1.2 violations?

EchelonGraph automatically detects CIS Azure 1.2 violations using scanner rule AZ-IAM-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

How do I remediate CIS Azure 1.2?

Review guest users: Azure Portal \u003e Azure AD \u003e Users \u003e Filter by User Type: Guest.

What audit questions are asked for CIS Azure 1.2?

How many guest users exist in Azure AD? When was each guest user last active? Is Azure AD Access Reviews configured for guest users? What resources can guest users access?

🔵CIS Azure 1.2Rule: AZ-IAM-002medium

Ensure guest users are reviewed regularly

Description

External guest users in Azure AD should be reviewed quarterly and removed if no longer needed.

⚠️ Risk Impact

Stale guest accounts retain access to shared resources. Former partners and contractors may access sensitive data.

🔍 How EchelonGraph Detects This

AZ-IAM-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Azure accounts. Violations are flagged as medium-severity findings with remediation guidance.

🔧 Remediation

Review guest users: Azure Portal > Azure AD > Users > Filter by User Type: Guest.

💀 Real-World Attack Scenario

A consulting firm's Azure AD guest account remained active 18 months after the engagement ended. When the consulting firm itself was breached, attackers used the still-active guest credentials to access shared SharePoint sites containing M&A documents, financial projections, and customer contracts.

💰 Cost of Non-Compliance

Stale guest accounts are involved in 23% of lateral movement attacks. Average cost of third-party credential breach: $4.5M. GDPR requires data access review — stale guest access is a common audit finding.

📋 Audit Questions

1.How many guest users exist in Azure AD?
2.When was each guest user last active?
3.Is Azure AD Access Reviews configured for guest users?
4.What resources can guest users access?

🎯 MITRE ATT&CK Mapping

T1078 — Valid AccountsT1199 — Trusted Relationship

⚡ Common Pitfalls

⛔Not using Azure AD Access Reviews to automate guest user review
⛔Guest users with excessive permissions beyond original need
⛔Not revoking guest access immediately when engagements end

📈 Business Value

Regular guest user review prevents third-party credential attacks and ensures compliance with data access requirements. Automated Access Reviews reduce manual effort by 90%.

⏱️ Effort Estimate

Manual

2-4 hours quarterly manual review

With EchelonGraph

EchelonGraph detects stale guest accounts and tracks access review compliance

🔗 Cross-Framework References

SOC2-CC6.2ISO27001-A.9.2.5

Automate CIS Azure 1.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →