Elastic Security Detection Rules

Entra ID Guest Account Promoted to Member

Last updated a month ago on 2026-05-20
Created a month ago on 2026-05-20

About

Identifies Entra ID user accounts converted from Guest to Member type via an Update user operation. A Guest-to-Member conversion grants the account full directory read access, removes external-identity Conditional Access restrictions, and makes the account indistinguishable from an internal employee. An attacker who compromises a guest account and promotes it to Member type gains persistent tenant access without triggering role assignment alerts.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Audit LogsUse Case: Identity and Access AuditTactic: PersistenceLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples
B2B collaboration migrations where external users are intentionally promoted to full membership. Organizational restructuring that converts former contractors to permanent employees in place.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.auditlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "azure.auditlogs" and
azure.auditlogs.operation_name: "Update user" and
azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: "UserType" and
azure.auditlogs.properties.target_resources.*.modified_properties.*.old_value: *Guest* and
azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: *Member* and
event.outcome: (Success or success)

Install detection rules in Elastic Security

Detect Entra ID Guest Account Promoted to Member in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).