You didn’t ask for this. But here we are.

Hidden in plain sight, buried deep inside Microsoft Entra ID, lies a backdoor so dangerous it might as well come with a sign that says, “Hack Me.” This isn’t fearmongering. It’s fact. Guest users—yes, the ones no one audits—can create subscriptions inside your Microsoft tenant and walk away with full Owner rights.

They don’t need to be a hacker. They just need to be invited. Or worse, create the invitation themselves.

The Exploit:

It starts with the “Billing Account Owner” role. That harmless little checkbox gives users the ability to create new Azure subscriptions—subscriptions where they are automatically granted full control. If a malicious guest is invited (or invites themselves), they can spin up a shadow environment inside your tenant—one with no oversight, no RBAC constraints, and no alarms.

It’s like building a backdoor into your own datacenter—and leaving it wide open.

The Fallout:

  • Shadow subscriptions.
  • Rogue apps.
  • Disabled security controls.
  • No alerts. No logs. No trace.

Your SIEM won’t see it. Your audit trails won’t catch it. And when the breach happens, your client’s lawyer won’t care. Because guess who’s holding the bag? You.

This Isn’t a Misconfiguration—It’s a Time Bomb

The only way to defuse it? Start with visibility. That means a full Microsoft 365 assessment—not once, not just “when something seems off,” but every quarter. Because let’s be real—M365 settings have a nasty habit of reverting. You know it. I know it. And attackers are counting on it.

Here’s What to Do:

  1. Get an M365 Assessment Done—now. On every client. On yourself. If it’s been more than 90 days, it’s already out of date. You can get this done as part of a Level 1 Pen Test or our Client Watch Program. (Instructions here: Run M365 Analysis)
  2. Don’t Stop at One. Build it into your Quarterly Security Briefings. Your job is to prove you protected your clients—because when the lawsuits hit, your MSA won’t save you. Evidence will.
  3. Lock Down the Tenant. Enforce Subscription Policies. Kill outdated guest accounts. Monitor suspicious behavior. Make sure your conditional access policies don’t give guests a red-carpet welcome to everything you’ve worked to secure.

The Bottom Line

If you think a Microsoft license gives you security, you’re already compromised. This is your warning shot. Get the assessment. Make it recurring. And while you’re at it, remind your clients that the only thing scarier than a hacker breaking in…

…is a guest you invited doing it with your permission.