question

thenewmessiah-5920 avatar image
0 Votes"
thenewmessiah-5920 asked SharonZhao-MSFT commented

It is possible to hide Active Directory personal user information to external Microsoft 365 users?

Hi All,

As a Company, we have the Active Directory connector to synchronize our local AD info to Azure AD.

Our users then can login with our AD credentials to all Microsoft 365 services and all info about users are synchronized with their online account.

Now, we have noted a privacy violation of internal information when our Teams users invite external users.

All these external users are able to see the full list of Active Directory information related to the internal users that have joined the meeting (personal phone number, mobile number, internal number, street, city, etc.).

Does all these information should be protected by default as stated by the GDPR compliance? (privacy by design and privacy by default)


I have opened a ticket to the Technical support, but they closed the ticket telling me that "it is normal" and invited my to open a question on the Microsoft portals.


Do you know if there is a way to exclude access to our internal AD information from external users?

azure-active-directoryoffice-teams-windows-itprowindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered SharonZhao-MSFT commented

Check the "guest access permissions" feature: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions

When guest access is restricted, guests can view only their own user profile. Permission to view other users isn't allowed even if the guest is searching by User Principal Name or objectId. Restricted access also restricts guest users from seeing the membership of groups they're in.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@thenewmessiah-5920,

Agree with michev, you can make changes to the existing Azure portal controls for guest user permissions as below. It will restrict guest user’s access to properties and memberships of their own directory objects.


130595-image.png


0 Votes 0 ·
image.png (130.6 KiB)

Hello and thanks for your reply.
I'm really frustrated about this and very shocked about Microsoft's support.
They have closed the ticket without telling me about this setting.

Anyway, I have changed these settings in Azure AD, but the Guest users can still see the full AD info about corporate users.
Incredibly, no one reported this to Microsoft.
This disclosure is illegal in EU due to the GDPR compliance.
You can't expose personal information about corporate users without any warning and by default, these settings should be private.

0 Votes 0 ·

Hello and thanks for your reply.
I'm really frustrated about this and very shocked about Microsoft's support.
They have closed the ticket without telling me about this setting.

Anyway, I have changed these settings in Azure AD, but the Guest users can still see the full AD info about corporate users.
Incredibly, no one reported this to Microsoft.
This disclosure is illegal in EU due to the GDPR compliance.
You can't expose personal information about corporate users without any warning and by default, these settings should be private.

0 Votes 0 ·

@thenewmessiah-5920

I tested this in my lab. Guest can see other users' AD info even I follow the settings in Azure AD.

Then, I read the document from michev again. It seems that this setting is just restrict Guests to see membership of any groups
132560-image.png


0 Votes 0 ·
image.png (20.0 KiB)
SharonZhao-MSFT avatar image SharonZhao-MSFT thenewmessiah-5920 ·

@thenewmessiah-5920,

It is suggested to post a feature request in this link.

Microsoft will always focus on customer’s feedback and experience. Some new features would be added to the services based on customers' feedback in the future, and your good ideas will be very helpful for them to improve the service.

Your time, understanding and cooperation will be highly appreciated.


0 Votes 0 ·
JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT edited

@thenewmessiah-5920
Thank you for following up on this, and I apologize for your support ticket being closed out without any solution.

As mentioned by @michev and shown by @SharonZhao-MSFT, you can definitely leverage our Restrict guest access permissions in Azure Active Directory documentation to restrict what external guest users can see in their organization in Azure AD.

For the different restriction options, the default looks to be Limited access - Guests can see membership of all non-hidden groups. I tested this within my tenant and wasn't able to see any user data.

131164-image.png
Note - My guest user has no roles assigned and is solely a "User" within my Azure AD Tenant. If you assign an AzureAD role - for example Global Admin to the guest user, they'll be able to see user data.


If you're still having issues with this, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (123.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @thenewmessiah-5920

Was there any development of your issue after the last recommendations?

I would also recommend you the Microsoft Uservoice channels to elevate your concerns, suggestions, or feature requests:

Find Teams in the list in: https://docs.microsoft.com/en-gb/archive/blogs/o365guy/submit-product-feedback-or-feature-requests-to-microsofts-virtual-suggestion-boxes

Hope you find it useful,
Best regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.