Home

AAD Users able to list ALL AAD users , groups with all properties

%3CLINGO-SUB%20id%3D%22lingo-sub-36211%22%20slang%3D%22en-US%22%3EAAD%20Users%20able%20to%20list%20ALL%20AAD%20users%20%2C%20groups%20with%20all%20properties%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-36211%22%20slang%3D%22en-US%22%3E%3CP%3EAll%20o365%20migrated%20users%20are%20able%20to%20list%20whole%20AAD%20directory%20when%20logging%20on%20azure%20portal.%20I%20think%20this%20is%20common%20since%20AAD%20is%20migrated%20to%20new%20portal.%20The%20current%20aad%20has%20no%20subscription%20activated%20(only%20used%20for%20O365)%2C%20it's%20not%20possible%20to%20log%20on%20classic%20portal%20because%20there%20is%20no%20subscription.%20Is%20there%20a%20way%20to%20block%20this%20view%20for%20%22normal%2Fregular%22%20user%20(roles)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-40581%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Users%20able%20to%20list%20ALL%20AAD%20users%20%2C%20groups%20with%20all%20properties%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-40581%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20is%20the%20same%20as%20your%20OnPrem%20AD%20-%20by%20default%20the%20whole%20directory%20is%20available%20as%20read-only%20to%20any%20authenticated%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20are%20not%20concerned%20about%20average%20users%20using%20Powershell%2C%20then%20I'd%20suggest%20you%20also%20not%20worry%20about%20average%20users%20using%20the%20admin%20portal%20and%20finding%20the%20right%20blade.%26nbsp%3B%20Both%20are%20equally%20easy%20to%20do%20-%20but%20also%20equally%20unlikely%20for%20a%20standard%20user%20to%20stumble%20across.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-37329%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Users%20able%20to%20list%20ALL%20AAD%20users%20%2C%20groups%20with%20all%20properties%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-37329%22%20slang%3D%22en-US%22%3EVasil%3A%20Correct%20me%20if%20I'm%20wrong%2C%20but%26nbsp%3Bif%20the%20user(s)%26nbsp%3Bare%20not%20credentialed%20specifically%20for%20Azure%20then%20then%26nbsp%3Bthey%20can%20not%26nbsp%3Bsee%20this%20information%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-36462%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Users%20able%20to%20list%20ALL%20AAD%20users%20%2C%20groups%20with%20all%20properties%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-36462%22%20slang%3D%22en-US%22%3E%3CP%3EAgreed%2C%20by%20they're%20aren't%20disabled%2C%20so%20if%20you%20want%20to%20beef%20up%20security%20you'll%20have%20to%20manually%20turn%20them%20on.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-36381%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Users%20able%20to%20list%20ALL%20AAD%20users%20%2C%20groups%20with%20all%20properties%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-36381%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20that's%20true%2C%20but%20I%20don't%20expect%20%22regular%22%20user%20to%20use%20PS%20to%20obtain%20info.%26nbsp%3BI%20would%20assume%20these%20settings%20are%20disabled%20by%20default%20for%20at%20lease%20user%20roles%20..%20as%20well%20as%20adding%20new%20App%20Registrations.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-36288%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Users%20able%20to%20list%20ALL%20AAD%20users%20%2C%20groups%20with%20all%20properties%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-36288%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20has%20always%20been%20the%20case%2C%20anyone%20with%20access%20to%20your%20tenant%20could%20use%20PowerShell%20to%20list%20objects%20and%20their%20data.%20You%20can%20restrict%20it%20to%20an%20extent%20via%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESet-MsolCompanySettings%20-UsersPermissionToReadOtherUsersEnabled%20%24false%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20case%20of%20the%20Azure%20(RM)%20portal%2C%20the%20AAD%20blade%20is%20still%20new%20(in%20preview)%2C%20so%20you%20can%20expect%20this%20to%20change%20once%20it%20reaches%20GA.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Kenannn T
New Contributor

All o365 migrated users are able to list whole AAD directory when logging on azure portal. I think this is common since AAD is migrated to new portal. The current aad has no subscription activated (only used for O365), it's not possible to log on classic portal because there is no subscription. Is there a way to block this view for "normal/regular" user (roles)?

5 Replies

This has always been the case, anyone with access to your tenant could use PowerShell to list objects and their data. You can restrict it to an extent via:

 

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

 

For the case of the Azure (RM) portal, the AAD blade is still new (in preview), so you can expect this to change once it reaches GA.

Thank you that's true, but I don't expect "regular" user to use PS to obtain info. I would assume these settings are disabled by default for at lease user roles .. as well as adding new App Registrations. 

Agreed, by they're aren't disabled, so if you want to beef up security you'll have to manually turn them on.

Vasil: Correct me if I'm wrong, but if the user(s) are not credentialed specifically for Azure then then they can not see this information?

It is the same as your OnPrem AD - by default the whole directory is available as read-only to any authenticated user.

 

If you are not concerned about average users using Powershell, then I'd suggest you also not worry about average users using the admin portal and finding the right blade.  Both are equally easy to do - but also equally unlikely for a standard user to stumble across.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies