Guest users SHOULD have limited or restricted access to Entra ID directory objects.

Why This Matters

Guest user access to directory objects represents a common attack vector in hybrid identity environments. If guest accounts retain broad read permissions to tenant directory information, an attacker could enumerate users, groups, and application registrations to map out your environment and identify privileged targets. Limiting guest directory access reduces the blast radius of a compromised guest account and aligns with least-privilege principles.

What Aether365 Checks

Aether365 verifies that the "Guest users have limited or restricted access to Entra ID directory objects" setting is properly configured in the Microsoft Entra ID tenant settings. This check appears in the Aether365 dashboard under the entra-id category and reports a Medium severity finding if the setting is set to allow full directory access for guests.