Block Read Access for Non-Admin Users to Azure AD

In Office 365 tenant, by default, any user can easily connect Azure AD Powershell and run the command Get-MsolUser or Get-AzureADUser to list all other user details including users’ personal data (ex: phone no, address, password last set time, etc..), and also fetch this info using users (https://graph.microsoft.com/v1.0/users) Graph API end-point. This design may not be a problem in some organizations, but it will create some serious security issues in secured organizations.

We can use the Set-MsolCompanySettings cmdlet from Azure AD Powershell v1 module (MSOnline) to block this read access for non-admin users. You should have Global Admin permission to run this command. Before proceed run the below command to connect Azure AD module.

Connect-MsolService

Run the below command to disable users’ permission to read other users’ data.

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

After running the above command you can still use the Global Admin account without any issue to read all users’ data, but if you connect Azure AD Powershell with a non-admin user account and run the Get-MsolUser cmdlet, then you will get the error “Get-MsolUser : Access Denied. You do not have permissions to call this cmdlet”.

PS C:> Get-MsolUser
Get-MsolUser : Access Denied. You do not have permissions to call this cmdlet.
At line:1 char:1
+ Get-MsolUser
+ ~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Get-MsolUser], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.AccessDeniedException,Microsoft.Online.Admini
   stration.Automation.GetUser

Azure AD Powershell v2 module

When you run the Get-AzureADUser cmdlet you will get the error message “Authorization_RequestDenied : Insufficient privileges to complete the operation”

PS C:> Get-AzureADUser
Get-AzureADUser : Error occurred while executing GetUsers
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: 784ed01e-094f-4ecd-8bcd-6557e5bc7b58
DateTimeStamp: Wed, 29 May 2019 18:09:40 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ Get-AzureADUser
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-AzureADUser], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser

Graph API – Users end-point

You will also get Access Denied response when you connect users graph end-point using a normal user account.

Request URL: https://graph.microsoft.com/v1.0/users
Request Method: GET
Status Code: 403 Forbidden

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "b254adb3-8918-4921-b899-8c381b9ea611",
      "date": "2019-05-29T18:27:59"
    }
  }
}

Note: Blocking read access to other users’ data may cause some problems in Microsoft Planner and Teams (ex: search users may not work when you add members to a plan).


Advertisement

Leave a Comment