In Office 365 tenant, by default, any user can easily connect Azure AD Powershell and run the command Get-MsolUser or Get-AzureADUser to list all other user details including users’ personal data (ex: phone no, address, password last set time, etc..), and also fetch this info using users (https://graph.microsoft.com/v1.0/users) Graph API end-point. This design may not be a problem in some organizations, but it will create some serious security issues in secured organizations.
We can use the Set-MsolCompanySettings cmdlet from Azure AD Powershell v1 module (MSOnline) to block this read access for non-admin users. You should have Global Admin permission to run this command. Before proceed run the below command to connect Azure AD module.
Connect-MsolService
Run the below command to disable users’ permission to read other users’ data.
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
After running the above command you can still use the Global Admin account without any issue to read all users’ data, but if you connect Azure AD Powershell with a non-admin user account and run the Get-MsolUser cmdlet, then you will get the error “Get-MsolUser : Access Denied. You do not have permissions to call this cmdlet”.
PS C:> Get-MsolUser
Get-MsolUser : Access Denied. You do not have permissions to call this cmdlet.
At line:1 char:1
+ Get-MsolUser
+ ~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Get-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.AccessDeniedException,Microsoft.Online.Admini
stration.Automation.GetUser
Azure AD Powershell v2 module
When you run the Get-AzureADUser cmdlet you will get the error message “Authorization_RequestDenied : Insufficient privileges to complete the operation”
PS C:> Get-AzureADUser
Get-AzureADUser : Error occurred while executing GetUsers
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: 784ed01e-094f-4ecd-8bcd-6557e5bc7b58
DateTimeStamp: Wed, 29 May 2019 18:09:40 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ Get-AzureADUser
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADUser], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser
Graph API – Users end-point
You will also get Access Denied response when you connect users graph end-point using a normal user account.
Request URL: https://graph.microsoft.com/v1.0/users
Request Method: GET
Status Code: 403 Forbidden
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "b254adb3-8918-4921-b899-8c381b9ea611",
"date": "2019-05-29T18:27:59"
}
}
}
Note: Blocking read access to other users’ data may cause some problems in Microsoft Planner and Teams (ex: search users may not work when you add members to a plan).