This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 62%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
This appears to be a tenant wide command and no global admin account seems to be capable of undoing it with Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $true. They all get access denied as one once expect given the $false setting, but we do need to undo this.
Hello @BearsBeetsBattlestar
Thank you for posting this concern on this community.
I would like to share the following article down below:
See this image:
I hope that can be useful for you.
Looking forward to hearing from you
Cheers,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks for your response, but this didn't help. The issue is, we cannot undo Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false. If we issue Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $true, we get access denied. No GA can undo this command. If you have access to a lab environment, you can confirm this. Issue the command, Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false, you will then find that all msol commands are denied and no admin can reverse this for the tenant.
That article describes the reasoning behind why we did the command, but offers no solution on how to reverse it.
May I please have the following output from PS terminal?
Get-MsolCompanyInformation | Select UsersPermissionToReadOtherUsersEnabled
Get-MsolCompanyInformation
Regards!
Access denied
Access denied
Thanks!
Let me review it and get back to you shortly.
Regards!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Thank you for confirming that you were able to resolve the issue. If the answer provided by @risolis helped you, please remember to Accept It so that others in the community facing similar issues can more easily locate a solution.
Otherwise let us know if you have further questions!
Guys stop being stupid! Its not going to block their access to Azure AD powershell and all those articles telling you it a security concern are retarded. How to you think in Teams, or outlook; that you are able to see who is active, what is the name of people you are chatting with (teams).
If you turn this to false you will be very VERY sorry. Because any and all and I mean ALL collaboration and communication between users WILL FAIL! How long, depends on the auth token, could take a few days, could take up to 90... you've been warned.
Many thanks for holding me on this.
I would like to ask you if it is possible to check as well as adjust the following settings at the portal level and give it another try please.
See it below:
Looking forward to your feedback.
Regards!
thanks for sticking with this. settings match up to screen shot, but I still get access denied on any msol command
Hi
I just made the lab replication.
Now see this:
Before those 2 pictures I got the same error as shown below:
sorry but when i run the get-msolrolemember command i get access denied. i also get access denied for set-msolcompany settings. this is true for each GA account
Hello @BearsBeetsBattlestar
There you have the fix for your problem.
I hope that can be useful for you.
Looking forward to hearing from you
Cheers,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
sorry but when i run the get-msolrolemember command you showed i get access denied. same goes for set-msolcompanysetting. access denied. that's for all GA accounts in our tenant
sorry but when i run the get-msolrolemember command you showed i get access denied. same goes for set-msolcompanysetting. access denied. that's for all GA accounts in our tenant
Are you using the Owner account for the same?
yes i am using owner acct
is there any way to get into a remote session? If it is ok
Just in case you want to check the release version used.
Thanks for all the help you provided, I have fixed the issue.
From powershell I installed aadinternals module and imported it. Then I used Get-AADIntAccessTokenForMSGraph -SaveToCache. Then I used Enable-AADIntTenantMsolAccess
This fixed the issue. You really helped me out by testing in your lab environment.
Great job!
I am happy to know this, and I would like to thank you for letting me assist you as well.
Cheers!
Hello @BearsBeetsBattlestar and thanks for sharing your workaround. As a general rule we suggest to move to Microsoft Graph PowerShell SDK as a replacement for MSOnline since the latter has entered deprecation phase. Also, setting UsersPermissionToReadOtherUsersEnabled to false should only affect standard but not admin users. The error mesage and workaround signals access to the MSOnline module was disabled. Enable-AADIntTenantMsolAccess turned it on again calling the Update authorizationPolicy endpoint.
Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgPolicyAuthorizationPolicy
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{ AllowedToReadOtherUsers = $false}
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"
Update-MgPolicyAuthorizationPolicy -BlockMsolPowerShell $false
Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more