How can we improve Azure Active Directory?

Disable user role to list (entire) enterprise AD

Currently all users migrated to O365 are able to log on to the portal and to list AD directory. I didn't find an option to disable this (view) yet.

8 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

Kenannn shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

There is a setting that allows you to prevent users from seeing other users in the directory. This setting is called ‘UsersPermissionToReadOtherUsersEnabled’ and can only be set by using the Microsoft Online powershell commandlets, specifically Set-MsolCompanySettings.

More info here:
https://docs.microsoft.com/en-us/powershell/msonline/v1/set-msolcompanysettings

I’ll leave this item open since I’d be interested in hearing feedback in the comments section if this is the functionality you’re interested in and if so and there’s a lot of votes for this item, we can look at exposing it in the portal (vs requiring PowerShell).

/Saca

8 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Luke commented  ·   ·  Flag as inappropriate

    For anyone else coming across this post while looking to prevent standard users from signing into your Azure Portal (not just Azure AD), please see he following link to enabled conditional access on the "Microsoft Azure Managemen" app:

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started

    We just implemented this and now proper admins can get to portal.azure.com but my normal business users receive an error that they do not have permission. Exactly what I needed. Hope this helps!

  • Vadim commented  ·   ·  Flag as inappropriate

    You can turn off end users from accessing AAD and Intune by going to Azure AD > User Settings > under Admin Portal select "Yes". This still doesn't restrict access to portal.azure.com or other resources.
    Agree with Luke, Nick and Doug - Microsoft please fix!

  • Luke commented  ·   ·  Flag as inappropriate

    completely agree with Doug. We stumbled across this in my organization today and really need to be able to prevent end users from logging into portal.azure.com. Crazy to think this exists by default.

  • Nick commented  ·   ·  Flag as inappropriate

    Having set this option we then found that this broke the ability for our staff to add others to Office 365 Teams and Groups. So we've had to re-enable the UsersPermissionToReadOtherUsersEnabled setting again. We're an education site, and our students have Global Address List settings that stop them from seeing all the other members of the college in Office 365 but they can see them all in Azure. This would all be solved if we could control access to the Azure portal somehow (we only want admins to access it). Please can you find a solution to this as it is a security issue.

  • Nick commented  ·   ·  Flag as inappropriate

    Totally agree, this seems to be a security flaw. We were quite shocked to find that all our users could see the other users in the directory, particularly as we've made sure this isn't possible in Office 365.

  • Doug commented  ·   ·  Flag as inappropriate

    O365 end users should not be able to log into Azure portal. Period.

  • Dave Sampson commented  ·   ·  Flag as inappropriate

    Thanks for the feedback Saca, we've encountered that setting and it does certainly help to address the scenario of non-Admin users browsing the details of other users via portal.azure.com. A UI to surface this setting to Admin users in portal.azure.com would help to some extent.
    To be honest though, I'm not sure why users who aren't assigned any RBAC roles in Azure, aren't the Azure account owner or subscription admins / co-admins, and are also not Admins in AAD, should be able to log in to portal.azure.com at all & browse the AAD (& not just user settings, but groups, apps, top-level AAD & domain settings). This is certainly a change between the classic portal & new portal, and has caused security & privacy concerns for us. Some way to enforce much more granular control of what a non-Administrative user can/can't see & do would be beneficial, particularly in scenarios where AAD isn't being used as a corporate directory but is instead being used as a directory of application users (from disparate sources & organisations).

  • Dave Sampson commented  ·   ·  Flag as inappropriate

    Agree, I see this as a flaw. Not only can a non-admin user log in to portal.azure.com and list all corporate users, they can view the properties of the AAD itself, and the UI appears to allow them to update other users - although it only appears to allow this, the save / block etc doesn't ACTUALLY happen. Some further work required here, the last thing I want is my general users being able to browse & obtain potentially sensitive information about my AAD!

Feedback and Knowledge Base