Share via

Security - Default Azure user created for Office 365 mailboxes.

John Jr 21 Reputation points
2020-06-10T19:48:47.157+00:00

I noticed that all our users created in Office 365 get an Azure account too. This normally would not be a problem, but it looks like even a low privileged user can login to Azure, view all users, memberships, devices, and domains.

I found conditional policies can be setup, but it looks like as long as a user can sign-in, they can login to Azure and view all this data.

Our tenant only has a few users that login to Azure as a domain, but the rest use Office 365 to login.

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
Microsoft Security | Microsoft Entra | Other
0 comments

Answer accepted by question author

  1. AmanpreetSingh-MSFT 56,966 Reputation points Moderator
    2020-06-11T06:23:26.277+00:00

    Hello @JohnJr-9222

    You can use below option to restrict any Non-administrator user from accessing Azure Active Directory:

    Azure Portal > Azure Active Directory > Users > User Settings > Restrict access to Azure AD administration portal and set it to Yes

    9695-capture.jpg

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 126.3K Reputation points MVP Volunteer Moderator
    2020-06-10T20:09:25.673+00:00

    You can restrict access on several levels, including restricting access to the portal, as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#to-restrict-the-default-permissions-for-member-users

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.