Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defining Azure Active Directory User Permissions

Copper Contributor

Hi!

For security reasons I've disabled the default permission to read user profiles in azure active directory by 

 

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

 

How can I return this permission only to a specific user or group?

6 Replies

You cannot, it's all or nothing.

So, if I set the default permission back to 

 

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $true

 

How can I prevent normal users from reading other user profiles in the Azure AD?

You cannot, those properties are "public" and you can also see them from the GAL in Outlook/OWA, Delve, etc. There are some settings like the above mentioned or the equivalent for the Azure portal, but those only apply to the corresponding endpoints.

Hi!

 

Hm ... would it be possible to use role based access control?

RBAC wont help you with this. Plus we don't have proper RBAC controls for Azure AD just yet.

I realize this is an old discussion, but I have found that a. Security is reporting this as a pen test finding and it should be disabled for security reasons, but, 2. if you disable this setting is will break user listing in apps like Planner. So what can we do? We are looking into options, but so far have found none. @Pernille-Eskebo should be listening...