Forum Discussion

Colton Lacy's avatar
Colton Lacy
Brass Contributor
Dec 01, 2017

Can a User with no admin access run Get-Msol Cmdlets?

Upon testing the different Admin Roles with PowerShell, I came across the fact that a standard user can run a lot of Get-Msol Cmdlets. Is there something that I missed to block standard user's from b...
  • VasilMichev's avatar
    Dec 02, 2017

    Um, that article is for Azure PowerShell, not Azure AD. You cannot restrict users from using the MSOL/AzureAD, unless you are willing to block other things as well (read: Conditional access supposedly covers the admin endpoints now, but you cannot actually configure any explicit includes/excludes for those).

     

    You can however limit the information they can get by configuring the following:

     

    Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

     

     

    Similar concerns apply to the Azure AD portal btw, make sure to toggle the "Restrict access to the Azure AD administration portal" setting in the Azure AD blade.

Resources