Forum Discussion
Can a User with no admin access run Get-Msol Cmdlets?
Upon testing the different Admin Roles with PowerShell, I came across the fact that a standard user can run a lot of Get-Msol Cmdlets. Is there something that I missed to block standard user's from being able to make a connection through Powershell to Azure Active Directory?
Um, that article is for Azure PowerShell, not Azure AD. You cannot restrict users from using the MSOL/AzureAD, unless you are willing to block other things as well (read: Conditional access supposedly covers the admin endpoints now, but you cannot actually configure any explicit includes/excludes for those).
You can however limit the information they can get by configuring the following:
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
Similar concerns apply to the Azure AD portal btw, make sure to toggle the "Restrict access to the Azure AD administration portal" setting in the Azure AD blade.
7 Replies
Keep in mind too that a typical OnPrem AD provides full read access to the same information to any standard user.
- also keep in mind that a typical OnPrem AD sits behind a firewall... whereas Azure AD is fairly open to direct attack. so when a standard user is compromised, you don't want them running these get-msol* commands.
Um, that article is for Azure PowerShell, not Azure AD. You cannot restrict users from using the MSOL/AzureAD, unless you are willing to block other things as well (read: Conditional access supposedly covers the admin endpoints now, but you cannot actually configure any explicit includes/excludes for those).
You can however limit the information they can get by configuring the following:
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
Similar concerns apply to the Azure AD portal btw, make sure to toggle the "Restrict access to the Azure AD administration portal" setting in the Azure AD blade.
- Vasil - bad news, the conditional access policies do not prevent azure ad powershell (legacy authentication) from happening.
I tested this by creating a conditional access policy to block all access to all cloud apps period, and applied that to a test user. The user had no problems whatsoever connecting to Azure AD Powershell using the legacy authentication.
Microsoft's documentation states that Conditional Access requires modern auth, so it implies that legacy auth isn't supported. What the documentation doesn't say is that it 'fails open' for legacy auth. =( But in my testing, I have confirmed it fails open for legacy auth especially when using a block rule, and in particular when using azure ad powershell module.Yup, figures, and it's probably related to the audit issue in general. They have promised to support legacy auth, and it should be coming soon (I hope). Until then, I guess good old AD FS claims rules are the only way to block things across the board.
Thank you Vasil! After reading the article I saw that it wasn't correct. Thank you for the answer.
You absolutely can,https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell
