Disable user browsing in Azure Active Directory for standard users

Question

I created a new AAD user without any special permissions (no admin, just a user). Now, when I login using the Connect-MSOLService cmdlet and retrieve all users using Get-MSOLUser I can see every user within that directory.

Why and am I able to change that?

Background: I want to use a single AAD instance for multiple SAAS applications and want to prevent that a user can browse all users.

Answer 1

In Azure AD, Users and groups are created in a flat structure without OU and GPO. You can't restrict the user's permission to a specific scope. The user can view all the user information in Azure AD.

To isolate the users from different scopes, you can create multiple directories for Azure AD, and configure the SaaS applications as multi-tenant application for AAD.

You can refer to the article below for more details about Azure AD Directory role.

https://learn.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles

Answer 2

Actually, there is a way to disable user browsing in an AAD using the Set-MsolCompanySettings from the MSOnline module:

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

Answer 3

If you connect to an Active Directory you usually want to read some data. As such if you're authorized to do that you can easily access information that is available and particularly "sensitive" (e.g. you can't read private keys of user objects easily). If you look at the history of Active Directory and it's typical usage within companies, it's likely that only single tenant (company) using it at a given time. As such there were even less reason to restrict the access.

If you want to have multiple tenants use the same AD you will have to figure out a scheme that works for you and setup the proper permissions yourself.

Helpful articles for this could be:

• Build a multi-tenant SaaS web application using Azure AD & OpenID Connect
• Question: Creating a multi-tenant AD environment