Wednesday, 29 May 2019

Block Read Access for Non-Admin Users to Azure AD Powershell and Graph API

In Office 365 tenant, by default any user can easily connect Azure AD powershell and run the command Get-MsolUser or Get-AzureADUser to list all other user details including users’ personal data (ex: phone no, address, password last set time, etc..), and also fetch this info using users ( Graph Api end-point . This design may not be problem in some organisations, but it will create some serious security issue in secured organisations.

We can use the Set-MsolCompanySettings cmdlet from Azure AD Powershell v1 module (MSOnline) to block this read access for non-admin users. You should have Global Admin permission to run this command. Before proceed run the below command to connect Azure AD module.
Run the below command to disable users' permission to read other users data.
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
After running the above command you can still use Global Admin account without any issue to read all users data, but if you connect Azure AD powershell with non-admin user account and run the Get-MsolUser cmdlet, then you will get the error "Get-MsolUser : Access Denied. You do not have permissions to call this cmdlet".
PS C:\> Get-MsolUser
Get-MsolUser : Access Denied. You do not have permissions to call this cmdlet.
At line:1 char:1
+ Get-MsolUser
+ ~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Get-MsolUser], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.AccessDeniedException,Microsoft.Online.Admini

Azure AD Powershell v2 module :

When you run the Get-AzureADUser cmdlet you will get the error message "Authorization_RequestDenied : Insufficient privileges to complete the operation"
PS C:\> Get-AzureADUser
Get-AzureADUser : Error occurred while executing GetUsers
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: 784ed01e-094f-4ecd-8bcd-6557e5bc7b58
DateTimeStamp: Wed, 29 May 2019 18:09:40 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ Get-AzureADUser
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-AzureADUser], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser

Graph Api - Users end-point :

You will also get Access Denied response when you connect users graph end-point using normal user account.
Request URL:
Request Method: GET
Status Code: 403 Forbidden

  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "b254adb3-8918-4921-b899-8c381b9ea611",
      "date": "2019-05-29T18:27:59"
Note: Blocking read access to other users' data may cause some problems in Microsoft Planner and Teams (ex: search users may not work when you add members to a plan).


No comments:

Post a Comment