Forum Discussion
Colton Lacy
Dec 01, 2017Brass Contributor
Can a User with no admin access run Get-Msol Cmdlets?
Upon testing the different Admin Roles with PowerShell, I came across the fact that a standard user can run a lot of Get-Msol Cmdlets. Is there something that I missed to block standard user's from b...
- Dec 02, 2017
Um, that article is for Azure PowerShell, not Azure AD. You cannot restrict users from using the MSOL/AzureAD, unless you are willing to block other things as well (read: Conditional access supposedly covers the admin endpoints now, but you cannot actually configure any explicit includes/excludes for those).
You can however limit the information they can get by configuring the following:
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
Similar concerns apply to the Azure AD portal btw, make sure to toggle the "Restrict access to the Azure AD administration portal" setting in the Azure AD blade.
Joe Stocker
Dec 12, 2017Bronze Contributor
Vasil - bad news, the conditional access policies do not prevent azure ad powershell (legacy authentication) from happening.
I tested this by creating a conditional access policy to block all access to all cloud apps period, and applied that to a test user. The user had no problems whatsoever connecting to Azure AD Powershell using the legacy authentication.
Microsoft's documentation states that Conditional Access requires modern auth, so it implies that legacy auth isn't supported. What the documentation doesn't say is that it 'fails open' for legacy auth. =( But in my testing, I have confirmed it fails open for legacy auth especially when using a block rule, and in particular when using azure ad powershell module.
I tested this by creating a conditional access policy to block all access to all cloud apps period, and applied that to a test user. The user had no problems whatsoever connecting to Azure AD Powershell using the legacy authentication.
Microsoft's documentation states that Conditional Access requires modern auth, so it implies that legacy auth isn't supported. What the documentation doesn't say is that it 'fails open' for legacy auth. =( But in my testing, I have confirmed it fails open for legacy auth especially when using a block rule, and in particular when using azure ad powershell module.
VasilMichev
Dec 12, 2017MVP
Yup, figures, and it's probably related to the audit issue in general. They have promised to support legacy auth, and it should be coming soon (I hope). Until then, I guess good old AD FS claims rules are the only way to block things across the board.