Azure AD guest accounts are widely used to grant external parties limited access to enterprise resources, with the assumption that these accounts pose little security risk. As you’re about to see, this assumption is dangerously wrong.
In this talk, we will show how guests can leverage undocumented APIs to bypass limitations and gain unauthorized access to sensitive business data and capabilities including corporate SQL servers, SharePoint sites, and KeyVault secrets....
By: Michael Bargury
Full Abstract and Presentation Materials:
#all-you-need-is-guest-32647