Azure AD Restricting Users

anuj August 20, 2020 Azure AD Restricting Users2020-08-20T15:14:02+00:00 No Comment

The problem: By default, anyone can log in to the Azure portal and the list all existing users, including many of their attributes, except, passwords or password hashes. This information can be accessed from anywhere, unlike your on premises AD, which requires you to be ON your network.

Solution: Restrict Users that can VIEW Azure AD information

Azure AD - Restricting User that can view Azure Active Directory Info

From AAD --> In the Azure Active Directory pane, click User settings
Select Yes to Restrict access to Azure AD administration portal.

Note: This does not prevent one from authenticating using powershell and querying AAD. It only restricts users from the portal.

View ALL privileged Users

Import-Module AzureAD 
Connect-AzureAD 
$_usersinroles = @() 
Get-AzureADDirectoryRole | foreach {
    $_objectid = $_.ObjectId; $rolename = $_.Displayname
    $_usersinroles += Get-AzureADDirectoryRoleMember -ObjectId `
    $_objectid | select @{name='RoleName';expression={$rolename}},`
    displayname,UserPrincipalName,UserType 
} 
$_usersinroles"

View All Company Admins

Import AzureAD

Connect-AzureAD -Credential $AzureADCredentials

#Working with roles

#Get-AzureADDirectoryRole

$CompanyAdminRole = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq "Company Administrator"} | Out-File -FilePath .\lw_admins.txt

Get-AzureADDirectoryRoleMember -ObjectId $CompanyAdminRole.ObjectId

Summary

This is a quick recap on how to restrict access to AAD users as well as quickly view existing AD admins and rolees in your AAD tenant.

Azure AD harden, Azure AD Restricting Users

No Comments Yet

Leave a Reply Cancel reply

Privacy Policy