Apr 10 2019
- last edited on
Jan 14 2022
For security reasons I've disabled the default permission to read user profiles in azure active directory by
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
How can I return this permission only to a specific user or group?
Apr 10 2019 12:04 PM
So, if I set the default permission back to
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $true
How can I prevent normal users from reading other user profiles in the Azure AD?
Apr 11 2019 12:28 AM
You cannot, those properties are "public" and you can also see them from the GAL in Outlook/OWA, Delve, etc. There are some settings like the above mentioned or the equivalent for the Azure portal, but those only apply to the corresponding endpoints.
Apr 11 2019 09:28 AM
RBAC wont help you with this. Plus we don't have proper RBAC controls for Azure AD just yet.