question

JohnJr-9222 avatar image
0 Votes"
JohnJr-9222 asked ·

Security - Default Azure user created for Office 365 mailboxes.

I noticed that all our users created in Office 365 get an Azure account too. This normally would not be a problem, but it looks like even a low privileged user can login to Azure, view all users, memberships, devices, and domains.

I found conditional policies can be setup, but it looks like as long as a user can sign-in, they can login to Azure and view all this data.

Our tenant only has a few users that login to Azure as a domain, but the rest use Office 365 to login.

azure-security-centerazure-ad-privileged-identity-management
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

Hello @JohnJr-9222


You can use below option to restrict any Non-administrator user from accessing Azure Active Directory:


Azure Portal > Azure Active Directory > Users > User Settings > Restrict access to Azure AD administration portal and set it to Yes


9695-capture.jpg




Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.



capture.jpg (13.1 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered ·

You can restrict access on several levels, including restricting access to the portal, as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#to-restrict-the-default-permissions-for-member-users

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for that helpful link.

The problem is that Office 365 user does not have any roles attached to their Azure account and they have no Office 365 licenses attached.

IF there are not roles attached, how are they able to login to Azure? This user does have sign-in rights, but we wanted to limit their sign-in to Office 365 to access their mailbox, but need see the rest of Azure's AD.

0 Votes 0 · ·

License or role don't matter, there are default permissions that everyone in the organization "inherits", as detailed in the article I linked to above. Which also details how to restrict those when needed.

1 Vote 1 · ·