Forum Discussion

Kenannn T's avatar
Kenannn T
Brass Contributor
Dec 19, 2016

AAD Users able to list ALL AAD users , groups with all properties

All o365 migrated users are able to list whole AAD directory when logging on azure portal. I think this is common since AAD is migrated to new portal. The current aad has no subscription activated (o...
VasilMichev's avatar
VasilMichev
MVP
Dec 19, 2016

This has always been the case, anyone with access to your tenant could use PowerShell to list objects and their data. You can restrict it to an extent via:

 

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

 

For the case of the Azure (RM) portal, the AAD blade is still new (in preview), so you can expect this to change once it reaches GA.

  • Kenannn T's avatar
    Kenannn T
    Brass Contributor
    Dec 20, 2016

    Thank you that's true, but I don't expect "regular" user to use PS to obtain info. I would assume these settings are disabled by default for at lease user roles .. as well as adding new App Registrations. 

    • VasilMichev's avatar
      VasilMichev
      MVP
      Dec 20, 2016

      Agreed, by they're aren't disabled, so if you want to beef up security you'll have to manually turn them on.

      • Scott Johnson's avatar
        Scott Johnson
        Brass Contributor
        Dec 31, 2016
        Vasil: Correct me if I'm wrong, but if the user(s) are not credentialed specifically for Azure then then they can not see this information?

Resources