SOLVED

Can a User with no admin access run Get-Msol Cmdlets?

%3CLINGO-SUB%20id%3D%22lingo-sub-133305%22%20slang%3D%22en-US%22%3ECan%20a%20User%20with%20no%20admin%20access%20run%20Get-Msol%20Cmdlets%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133305%22%20slang%3D%22en-US%22%3E%3CP%3EUpon%20testing%20the%20different%20Admin%20Roles%20with%20PowerShell%2C%20I%20came%20across%20the%20fact%20that%20a%20standard%20user%20can%20run%20a%20lot%20of%20Get-Msol%20Cmdlets.%20Is%20there%20something%20that%20I%20missed%20to%20block%20standard%20user's%20from%20being%20able%20to%20make%20a%20connection%20through%20Powershell%20to%20Azure%20Active%20Directory%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-133305%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142914%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20a%20User%20with%20no%20admin%20access%20run%20Get-Msol%20Cmdlets%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142914%22%20slang%3D%22en-US%22%3Ealso%20keep%20in%20mind%20that%20a%20typical%20OnPrem%20AD%20sits%20behind%20a%20firewall...%20whereas%20Azure%20AD%20is%20fairly%20open%20to%20direct%20attack.%20so%20when%20a%20standard%20user%20is%20compromised%2C%20you%20don't%20want%20them%20running%20these%20get-msol*%20commands.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142912%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20a%20User%20with%20no%20admin%20access%20run%20Get-Msol%20Cmdlets%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142912%22%20slang%3D%22en-US%22%3E%3CP%3EKeep%20in%20mind%20too%20that%20a%20typical%20OnPrem%20AD%20provides%20full%20read%20access%20to%20the%20same%20information%20to%20any%20standard%20user.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-136261%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20a%20User%20with%20no%20admin%20access%20run%20Get-Msol%20Cmdlets%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-136261%22%20slang%3D%22en-US%22%3E%3CP%3EYup%2C%20figures%2C%20and%20it's%20probably%20related%20to%20the%20audit%20issue%20in%20general.%20They%20have%20promised%20to%20support%20legacy%20auth%2C%20and%20it%20should%20be%20coming%20soon%20(I%20hope).%20Until%20then%2C%20I%20guess%20good%20old%20AD%20FS%20claims%20rules%20are%20the%20only%20way%20to%20block%20things%20across%20the%20board.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-136219%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20a%20User%20with%20no%20admin%20access%20run%20Get-Msol%20Cmdlets%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-136219%22%20slang%3D%22en-US%22%3EVasil%20-%20bad%20news%2C%20the%20conditional%20access%20policies%20do%20not%20prevent%20azure%20ad%20powershell%20(legacy%20authentication)%20from%20happening.%3CBR%20%2F%3EI%20tested%20this%20by%20creating%20a%20conditional%20access%20policy%20to%20block%20all%20access%20to%20all%20cloud%20apps%20period%2C%20and%20applied%20that%20to%20a%20test%20user.%20The%20user%20had%20no%20problems%20whatsoever%20connecting%20to%20Azure%20AD%20Powershell%20using%20the%20legacy%20authentication.%20%3CBR%20%2F%3EMicrosoft's%20documentation%20states%20that%20Conditional%20Access%20requires%20modern%20auth%2C%20so%20it%20implies%20that%20legacy%20auth%20isn't%20supported.%20What%20the%20documentation%20doesn't%20say%20is%20that%20it%20'fails%20open'%20for%20legacy%20auth.%20%3D(%20But%20in%20my%20testing%2C%20I%20have%20confirmed%20it%20fails%20open%20for%20legacy%20auth%20especially%20when%20using%20a%20block%20rule%2C%20and%20in%20particular%20when%20using%20azure%20ad%20powershell%20module.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133787%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20a%20User%20with%20no%20admin%20access%20run%20Get-Msol%20Cmdlets%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133787%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20Vasil!%20After%20reading%20the%20article%20I%20saw%20that%20it%20wasn't%20correct.%20Thank%20you%20for%20the%20answer.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133432%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20a%20User%20with%20no%20admin%20access%20run%20Get-Msol%20Cmdlets%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133432%22%20slang%3D%22en-US%22%3E%3CP%3EUm%2C%20that%20article%20is%20for%20Azure%20PowerShell%2C%20not%20Azure%20AD.%20You%20cannot%20restrict%20users%20from%20using%20the%20MSOL%2FAzureAD%2C%20unless%20you%20are%20willing%20to%20block%20other%20things%20as%20well%20(read%3A%20Conditional%20access%20supposedly%20covers%20the%20admin%20endpoints%20now%2C%20but%20you%20cannot%20actually%20configure%20any%20explicit%20includes%2Fexcludes%20for%20those).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20however%20limit%20the%20information%20they%20can%20get%20by%20configuring%20the%20following%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3ESet-MsolCompanySettings%20-UsersPermissionToReadOtherUsersEnabled%20%24false%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESimilar%20concerns%20apply%20to%20the%20Azure%20AD%20portal%20btw%2C%20make%20sure%20to%20toggle%20the%20%22Restrict%20access%20to%20the%20Azure%20AD%20administration%20portal%22%20setting%20in%20the%20Azure%20AD%20blade.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133310%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20a%20User%20with%20no%20admin%20access%20run%20Get-Msol%20Cmdlets%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133310%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20absolutely%20can%2C%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Frole-based-access-control-manage-access-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20information%20and%20scripts%20available%20here.%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Upon testing the different Admin Roles with PowerShell, I came across the fact that a standard user can run a lot of Get-Msol Cmdlets. Is there something that I missed to block standard user's from being able to make a connection through Powershell to Azure Active Directory?

7 Replies
Best Response confirmed by Colton Lacy (Occasional Contributor)
Solution

Um, that article is for Azure PowerShell, not Azure AD. You cannot restrict users from using the MSOL/AzureAD, unless you are willing to block other things as well (read: Conditional access supposedly covers the admin endpoints now, but you cannot actually configure any explicit includes/excludes for those).

 

You can however limit the information they can get by configuring the following:

 

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

 

 

Similar concerns apply to the Azure AD portal btw, make sure to toggle the "Restrict access to the Azure AD administration portal" setting in the Azure AD blade.

Thank you Vasil! After reading the article I saw that it wasn't correct. Thank you for the answer.

Vasil - bad news, the conditional access policies do not prevent azure ad powershell (legacy authentication) from happening.
I tested this by creating a conditional access policy to block all access to all cloud apps period, and applied that to a test user. The user had no problems whatsoever connecting to Azure AD Powershell using the legacy authentication.
Microsoft's documentation states that Conditional Access requires modern auth, so it implies that legacy auth isn't supported. What the documentation doesn't say is that it 'fails open' for legacy auth. =( But in my testing, I have confirmed it fails open for legacy auth especially when using a block rule, and in particular when using azure ad powershell module.

Yup, figures, and it's probably related to the audit issue in general. They have promised to support legacy auth, and it should be coming soon (I hope). Until then, I guess good old AD FS claims rules are the only way to block things across the board.

Keep in mind too that a typical OnPrem AD provides full read access to the same information to any standard user.

also keep in mind that a typical OnPrem AD sits behind a firewall... whereas Azure AD is fairly open to direct attack. so when a standard user is compromised, you don't want them running these get-msol* commands.