cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Can a User with no admin access run Get-Msol Cmdlets?

Colton Lacy
Occasional Contributor

‎Dec 01 2017 09:43 AM

‎Dec 01 2017 09:43 AM

Can a User with no admin access run Get-Msol Cmdlets?

Upon testing the different Admin Roles with PowerShell, I came across the fact that a standard user can run a lot of Get-Msol Cmdlets. Is there something that I missed to block standard user's from being able to make a connection through Powershell to Azure Active Directory?

5,067 Views
0 Likes
7 Replies
Reply
7 Replies
best response confirmed by Colton Lacy (Occasional Contributor)
Vasil Michev

‎Dec 02 2017 04:06 AM

‎Dec 02 2017 04:06 AM

Solution

Re: Can a User with no admin access run Get-Msol Cmdlets?

Um, that article is for Azure PowerShell, not Azure AD. You cannot restrict users from using the MSOL/AzureAD, unless you are willing to block other things as well (read: Conditional access supposedly covers the admin endpoints now, but you cannot actually configure any explicit includes/excludes for those).

 

You can however limit the information they can get by configuring the following:

 

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

 

 

Similar concerns apply to the Azure AD portal btw, make sure to toggle the "Restrict access to the Azure AD administration portal" setting in the Azure AD blade.

1 Like
Reply
Colton Lacy

‎Dec 04 2017 06:58 AM

‎Dec 04 2017 06:58 AM

Re: Can a User with no admin access run Get-Msol Cmdlets?

Thank you Vasil! After reading the article I saw that it wasn't correct. Thank you for the answer.

0 Likes
Reply
Joe Stocker

‎Dec 11 2017 06:15 PM

‎Dec 11 2017 06:15 PM

Re: Can a User with no admin access run Get-Msol Cmdlets?

Vasil - bad news, the conditional access policies do not prevent azure ad powershell (legacy authentication) from happening.
I tested this by creating a conditional access policy to block all access to all cloud apps period, and applied that to a test user. The user had no problems whatsoever connecting to Azure AD Powershell using the legacy authentication.
Microsoft's documentation states that Conditional Access requires modern auth, so it implies that legacy auth isn't supported. What the documentation doesn't say is that it 'fails open' for legacy auth. =( But in my testing, I have confirmed it fails open for legacy auth especially when using a block rule, and in particular when using azure ad powershell module.

2 Likes
Reply
Vasil Michev

‎Dec 12 2017 12:08 AM

‎Dec 12 2017 12:08 AM

Re: Can a User with no admin access run Get-Msol Cmdlets?

Yup, figures, and it's probably related to the audit issue in general. They have promised to support legacy auth, and it should be coming soon (I hope). Until then, I guess good old AD FS claims rules are the only way to block things across the board.

0 Likes
Reply
Adrian Hyde

‎Jan 08 2018 10:03 PM

‎Jan 08 2018 10:03 PM

Re: Can a User with no admin access run Get-Msol Cmdlets?

Keep in mind too that a typical OnPrem AD provides full read access to the same information to any standard user.

0 Likes
Reply
Joe Stocker

‎Jan 08 2018 10:08 PM

‎Jan 08 2018 10:08 PM

Re: Can a User with no admin access run Get-Msol Cmdlets?

also keep in mind that a typical OnPrem AD sits behind a firewall... whereas Azure AD is fairly open to direct attack. so when a standard user is compromised, you don't want them running these get-msol* commands.
1 Like
Reply