Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security gap in Microsoft Entra ID that could allow external guest users to gain powerful control over Azure environments.

Contrary to common assumptions, Entra B2B guest accounts—typically used for collaboration with external partners—can leverage specific billing roles to create and transfer Azure subscriptions into a target tenant, even without explicit administrative privileges in that environment.

This behavior is not the result of a software bug but rather stems from how Microsoft has architected billing and subscription management.

If a guest user holds a billing role such as “Billing Account Owner” or “Account Owner” in their home tenant, they can use this authority to spin up new subscriptions and move them into any other tenant where they are a guest.

Once the subscription is created in the target tenant, the guest automatically gains the “Owner” role for that subscription, opening up a range of potential attack vectors.

Key Technical Terms and Roles

• Entra ID: Microsoft’s cloud-based identity provider, formerly known as Azure Active Directory.
• B2B Guest Account: An external user invited into an organization’s Entra tenant for collaboration.
• RBAC (Role-Based Access Control): The system that governs what actions users can perform on Azure resources.
• Billing Roles: Special roles that control who can create and manage Azure subscriptions, separate from RBAC.
• Subscription Owner: The user with full administrative rights over an Azure subscription.

Azure Billing

Billing Role	Can I create a Subscription?	Scope of Control
Enterprise Administrator	Yes	All aspects of EA
Account Owner (EA)	Yes	Subscriptions
Billing Account Owner (MCA)	Yes	Billing account
Billing Profile Owner (MCA)	Yes	Billing profile
Invoice Section Owner (MCA)	Yes	Invoice section
Azure Subscription Creator	Yes	Subscriptions
Billing Account Reader	No	Read-only
Invoice Manager	No	View/pay invoices only

[Source: BeyondTrust Research]1

What a Malicious Guest Can Do

Once a guest user becomes a subscription Owner, they gain broad administrative control over resources within that subscription.

This access enables several advanced attack techniques that bypass typical security expectations:

• Reconnaissance: The guest can enumerate privileged users by inspecting IAM (Identity and Access Management) settings on their subscription, revealing the names and roles of administrators at the root management group level.
• Policy Manipulation: As Owner, the guest can modify or disable Azure policies tied to the subscription, potentially muting security alerts and bypassing compliance controls.
• Persistence via Managed Identities: The attacker can create user-managed identities (service principals), which persist in the Entra ID directory even after the guest account is removed. These identities can be leveraged for ongoing access or further privilege escalation1.
• Device Trust Abuse: By registering Azure VMs as Entra-joined devices, the attacker can manipulate device-based conditional access policies, potentially gaining unauthorized access to sensitive resources1.

Kusto Query to Detect Blocked B2B Guest Users

text// Detect B2B guest users blocked in our tenant due to risk in their home tenant
let DAYS = 365d;
let HOMETENANTID = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX';
SigninLogs
| where TimeGenerated > ago(DAYS)
| where HomeTenantId != HOMETENANTID
| where ResultType == 530032
| join kind=leftouter (
    SigninLogs
    | where TimeGenerated > ago(DAYS)
    | where HomeTenantId != HOMETENANTID
    | where ResultType == 0
    | project UserPrincipalName2=UserPrincipalName, TimeGenerated2=TimeGenerated
) on $left.UserPrincipalName == $right.UserPrincipalName2
| summarize LastError = max(TimeGenerated), LastSignIn = max(TimeGenerated2) by UserPrincipalName
| sort by LastError desc

Defending Against the Hidden Threat

Microsoft acknowledges this behavior as intended, citing legitimate multi-tenant scenarios where guests may need to create subscriptions.

However, the default configuration leaves organizations exposed until proactive controls are implemented.

Recommended Mitigations:

• Enable Subscription Policies: Restrict guest users from transferring or creating subscriptions in your tenant by activating non-default subscription policies.
• Audit Guest Accounts: Regularly review and remove unnecessary guest accounts, especially those with elevated billing or subscription roles.
• Monitor for Anomalous Subscriptions: Watch for unexpected guest-created subscriptions and resources using Azure monitoring tools and security alerts.
• Harden Conditional Access: Implement device compliance, risk-based authentication, and Zero Trust policies to limit the blast radius of compromised accounts.

Organizations leveraging Microsoft Entra B2B features should urgently re-examine their guest access policies and subscription governance to prevent these “restless guests” from becoming a hidden path to privilege escalation and compromise.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!