Azure AD Restricting Users
The problem: By default, anyone can log in to the Azure portal and the list all existing users, including many of their attributes, except, passwords or password hashes. This information can be accessed from anywhere, unlike your on premises AD, which requires you to be ON your network.
Solution: Restrict Users that can VIEW Azure AD information
Azure AD - Restricting User that can view Azure Active Directory Info
- From AAD --> In the Azure Active Directory pane, click User settings
- Select Yes to Restrict access to Azure AD administration portal.
Note: This does not prevent one from authenticating using powershell and querying AAD. It only restricts users from the portal.
View ALL privileged Users
Import-Module AzureAD
Connect-AzureAD
$_usersinroles = @()
Get-AzureADDirectoryRole | foreach {
$_objectid = $_.ObjectId; $rolename = $_.Displayname
$_usersinroles += Get-AzureADDirectoryRoleMember -ObjectId `
$_objectid | select @{name='RoleName';expression={$rolename}},`
displayname,UserPrincipalName,UserType
}
$_usersinroles"
View All Company Admins
Import AzureAD Connect-AzureAD -Credential $AzureADCredentials #Working with roles #Get-AzureADDirectoryRole $CompanyAdminRole = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq "Company Administrator"} | Out-File -FilePath .\lw_admins.txt Get-AzureADDirectoryRoleMember -ObjectId $CompanyAdminRole.ObjectId
Summary
This is a quick recap on how to restrict access to AAD users as well as quickly view existing AD admins and rolees in your AAD tenant.
Leave a Reply