The Azure External Guest User Invitation rule provides detection for instances where an external user is invited to join an organization’s Azure Active Directory (AD). This feature enables external collaboration, but can be exploited for unauthorized access. The rule monitors audit logs for successful external user invitations, specifically looking for the operation named 'Invite external user'. It filters events to identify potential security risks associated with unnecessary or unexpected guest user creations. The rule specifies conditions such as the target resource display name containing 'guest' and an event outcome of 'Success'. Proper investigation steps include reviewing invitation details, verifying the inviter's identity, checking the invited guest's information, and collaborating with business units to validate the necessity of the invitation. The rule accounts for potential false positives, such as legitimate business invitations or automated systems needing guest access. Remediation steps upon detecting unauthorized invitations involve disabling the guest account, notifying security teams, and implementing stricter access policies to minimize risk. The rule is crucial for maintaining the integrity of Azure Active Directory by preventing potential vulnerabilities from unauthorized guest access.