locked
Block access for Guest Users to Read Groups on https://account.activedirectory.windowsazure.com RRS feed

  • Question

  • Hi everyone,

    due to company policy external users shouldn't be able to read AAD Groups. I am not able to find the possibility to block access to the following page: https://account.activedirectory.windowsazure.com/r#/groups for Guest Users or normal users.

    How can I block this. I followed the below steps:

    • Go to: https://account.activedirectory.windowsazure.com
    • Click on 'Groups'
    • And you on the page

    Thank you in advance for any tips

    Friday, April 12, 2019 9:50 AM

Answers

  • So I have the solution.

    1. Go to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview

    2. Go to Groups

    3. Go to General

    4. Set "Restrict access to groups in the Access Panel" to "Yes"

    Thursday, April 18, 2019 5:41 PM

All replies

  • You can not block one group members to access another groups details in Azure AD. However, you would be able to achieve this with the setting to Block Azure access to the Azure AD Portal.

    How to Block users log in to Azure Active Directory Administration Portal?
    1. Log in to Azure portal with your Global Administrator account
    2. Click Azure Active Directory
    3. And select Users Settings
    4. And select Yes on Restrict access to Azure AD administration portal

    When you restrict this setting, if the users go to "https://account.activedirectory.windowsazure.com" - they'll be able to see the Groups they are a part of or any Group they have created.

    Monday, April 15, 2019 9:50 AM
  • Hi,

    Well I have validated it, but it didn't solve my issue. When I restrict users to go to Azure AD administration panel, it doesn't restrict them to see Groups from https://account.activedirectory.windowsazure.com.

    How is it possible that a company cannot restrict this kind of things for guest users?

    We should be able to block specific things in Azure AD for users.

    Regards,

    Tuesday, April 16, 2019 12:20 PM

  • When you restrict this setting, if the users go to "https://account.activedirectory.windowsazure.com" - they'll be able to see the Groups they are a part of or any Group they have created.

    They would be able to see the "Groups" - but only the Groups that they are a part of and the Groups they themselves have created. Not the Groups that they are NOT a part of.

    Other than this, there is no other setting to completely block them to see any of the Groups in Azure AD.

    Wednesday, April 17, 2019 4:07 AM
  • Sorry, but that is not true. I have seen at a client that I am working for that it is possible. The only thing is that the persons who did it are gone at that company, and nobody knows who did it for them.

    The Dutch Text says: This function is noet activated or not available.


    • Edited by André Krijnen Wednesday, April 17, 2019 8:01 AM Added image
    Wednesday, April 17, 2019 7:50 AM
  • So I have the solution.

    1. Go to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview

    2. Go to Groups

    3. Go to General

    4. Set "Restrict access to groups in the Access Panel" to "Yes"

    Thursday, April 18, 2019 5:41 PM