Forum Discussion

indima's avatar
indima
Copper Contributor
Apr 10, 2019

Defining Azure Active Directory User Permissions

Hi!

For security reasons I've disabled the default permission to read user profiles in azure active directory by 

 

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

 

How can I return this permission only to a specific user or group?

    • indima's avatar
      indima
      Copper Contributor

      So, if I set the default permission back to 

       

      Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $true

       

      How can I prevent normal users from reading other user profiles in the Azure AD?

      • You cannot, those properties are "public" and you can also see them from the GAL in Outlook/OWA, Delve, etc. There are some settings like the above mentioned or the equivalent for the Azure portal, but those only apply to the corresponding endpoints.

  • Scruffe1's avatar
    Scruffe1
    Copper Contributor
    I realize this is an old discussion, but I have found that a. Security is reporting this as a pen test finding and it should be disabled for security reasons, but, 2. if you disable this setting is will break user listing in apps like Planner. So what can we do? We are looking into options, but so far have found none. Pernille-Eskebo should be listening...

Resources