In Office 365 tenant, by default, any user can easily connect Azure AD Powershell and run the command Get-MsolUser or Get-AzureADUser to list all other user details including users’ personal data (ex: phone no, address, password last set time, etc..), and also fetch this info using users (https://graph.microsoft.com/v1.0/users) Graph API end-point. This design may not be a problem in some organizations, but it will create some serious security issues in secured organizations.
We can use the Set-MsolCompanySettings cmdlet from Azure AD Powershell v1 module (MSOnline) to block this read access for non-admin users. You should have Global Admin permission to run this command. Before proceed run the below command to connect Azure AD module.
Connect-MsolService
Run the below command to disable users’ permission to read other users’ data.
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
After running the above command you can still use the Global Admin account without any issue to read all users’ data, but if you connect Azure AD Powershell with a non-admin user account and run the Get-MsolUser cmdlet, then you will get the error “Get-MsolUser : Access Denied. You do not have permissions to call this cmdlet”.
PS C:> Get-MsolUser Get-MsolUser : Access Denied. You do not have permissions to call this cmdlet. At line:1 char:1 + Get-MsolUser + ~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (:) [Get-MsolUser], MicrosoftOnlineException + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.AccessDeniedException,Microsoft.Online.Admini stration.Automation.GetUser
Azure AD Powershell v2 module
When you run the Get-AzureADUser cmdlet you will get the error message “Authorization_RequestDenied : Insufficient privileges to complete the operation”
PS C:> Get-AzureADUser Get-AzureADUser : Error occurred while executing GetUsers Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. RequestId: 784ed01e-094f-4ecd-8bcd-6557e5bc7b58 DateTimeStamp: Wed, 29 May 2019 18:09:40 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:1 char:1 + Get-AzureADUser + ~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-AzureADUser], ApiException + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser
Graph API – Users end-point
You will also get Access Denied response when you connect users graph end-point using a normal user account.
Request URL: https://graph.microsoft.com/v1.0/users Request Method: GET Status Code: 403 Forbidden { "error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": { "request-id": "b254adb3-8918-4921-b899-8c381b9ea611", "date": "2019-05-29T18:27:59" } } }
Note: Blocking read access to other users’ data may cause some problems in Microsoft Planner and Teams (ex: search users may not work when you add members to a plan).