Forum Discussion
Solved
Can a User with no admin access run Get-Msol Cmdlets?
Upon testing the different Admin Roles with PowerShell, I came across the fact that a standard user can run a lot of Get-Msol Cmdlets. Is there something that I missed to block standard user's from b...
Um, that article is for Azure PowerShell, not Azure AD. You cannot restrict users from using the MSOL/AzureAD, unless you are willing to block other things as well (read: Conditional access supposedly covers the admin endpoints now, but you cannot actually configure any explicit includes/excludes for those).
You can however limit the information they can get by configuring the following:
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
Similar concerns apply to the Azure AD portal btw, make sure to toggle the "Restrict access to the Azure AD administration portal" setting in the Azure AD blade.
Keep in mind too that a typical OnPrem AD provides full read access to the same information to any standard user.
also keep in mind that a typical OnPrem AD sits behind a firewall... whereas Azure AD is fairly open to direct attack. so when a standard user is compromised, you don't want them running these get-msol* commands.