Preventing users from browsing Azure AD via the WAAD PowerShell module

Few months back, this question popped out on the Office 365 Yammer network. ​Ryan Marchant was worried about the fact that any sing-in enabled Office 365 user could just login with the WAAD module for PowerShell and export all the user information with a few simple cmdlets.

While I argued that this is hardly a problem, as a lot more information is exposed via the GAL, Ryan was not convinced and few days later got an answer from the PG: you can use the UsersPermissionToReadOtherUsersEnabled parameter to control this. It’s a very simple solution indeed, all you need to do is run the following cmdlet:

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

Being a simple solution however, it has some limitations. All the cmdlet above does is to block access to the Get-MsolUser cmdlet for any non-admin account. Should a regular user try to use it, he will be greeted by the following error message:

PS C:\> Get-MsolUser
Get-MsolUser : Access Denied. You do not have permissions to call this cmdlet.
At line:1 char:1
+ Get-MsolUser
+ ~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Get-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.AccessDeniedException,Microsoft.Online.Administration...

Every other Get- cmdlet is still available, and an experienced user will still be able to get his hands on some sensitive information. It is perfectly possible for example to run the Get-MsolCompanyInformation and get the Technical Contact information. The method doesn’t even block access to the Get-MsolContact or the group related Get-MsolGroup and Get-MsolGroupMember cmdlets, so you can easily obtain the user email addresses by listing group members. You can also happily list the members of the administrative role groups, or the newly introduced administrative units, or find the partner on record, etc.

All this of course doesn’t make the feature useless. On the contrary, I imagine it will be useful to others as well, thus the blog post (Yammer unfortunately is not indexed by search engines, being an invite-only social platform). And should you need to lock thing even tighter, you can exploit the MFA feature – activating MFA for a user will lock him out of logging to the WAAD via PowerShell. Well, until ADAL reaches GA that is 🙂

This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *