A significant gap in Microsoft Entra’s subscription handling allows guest users to create and transfer Azure subscriptions into external tenants they’re invited to while retaining full ownership. This design oversight enables privilege escalation and unauthorized persistence, bypassing standard access controls.
Mechanism of the Vulnerability
Guest users with billing permissions (e.g., Enterprise Administrator, Account Owner, or Azure Subscription Creator) in their home tenant can create subscriptions in external tenants where they’re guests. This occurs because billing permissions operate at the billing-account level, separate from Entra directory roles or Azure RBAC.
Example: An attacker creates a free Azure trial account (granting billing permissions), gets invited as a guest to a target tenant, then creates a subscription there with Owner rights.
Guests transfer subscriptions into the target tenant using Azure’s subscription transfer process. They maintain ownership even after transfer. The target tenant’s administrators have no visibility into these subscriptions via standard Entra permission audits.
Why This Gap Exists
It’s a design flaw, not a bug. Microsoft confirms this behavior is intentional to support multi-tenant collaboration scenarios.
Mitigation Strategies
You can restrict subscription creation/transfer to permitted users only via this command:
Update-MgPolicyAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'To help safeguard against this, remove unused accounts and disable guest-to-guest invitations. Monitor subscriptions to detect unexpected guest-created resources. And of course, restrict guest permissions – set Entra guest access to Restricted (blocks group membership visibility).
Microsoft’s Stance and Limitations
Microsoft maintains this is “expected behavior,” emphasizing that guests bear subscription costs. They have no plans to change defaults; organizations must proactively enable controls.
