Forum Discussion
How to prohibit normal users acces to other users AAD profile Authentication contact info-fields?
A customer recently pointed out that all users have permissions to use PowerShell (with added modules) to run Get-Msol User and can read all user info and groups. To be able to use Delve and other t...
That's the only option you have. The argument usually goes something like "well you can see all this info in on-premises AD too". And there aren't that many regular users that will try PowerShell anyway, the bigger issue here is some rogue user running scripts to collect this information, etc.
- One other question: do you know if it is possible to Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $False for the organization and -UsersPermissionToReadOtherUsersEnabled $True fro a specific Security Group?
No, it's an org-wide setting. Until we get a proper RBAC support for AAD, that's your only option (and even when/if we do, I'm not sure it will cover "read" permissions).
VasilMichev, I was afraid that would be the answer. Because that is the way it worked in AD on prem most schools I know had 2 AD's: one for students and one for staff. So students were never able to get the data from the staff AD. In Office 365 they need to be in the same Azure AD.
