Can visibility of Entra AD Users and Groups be restricted from Admins

Question

Can visibility of Entra AD Users and Groups be restricted from Admins

ComputerHabit 1,051

I am attempting to restrict access to admins of Administrative Units to only see in Users and Devices what they have access to.

I have restricted default user access to Azure Portal.
User's image

The account I'm testing with does not have a Global role assigned.

The account does have a custom permission assigned, it is scoped to an Administrative Unit.
The only permission in the role is Read\Delete Device.
User's image

I login with the account assigned to this role. I can still see all Groups and all Users. I can pretty much see everything with the account.

Is there a way to restrict visibility of all the objects not in the AU scope?

I've searched a lot but no luck.

Thanks

JamesTran-MSFT 37,231 Reputation points Microsoft Employee Moderator

2024-01-05T20:17:06.02+00:00

@ComputerHabit

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer accepted by question author

0 additional answers

Your answer

JamesTran-MSFT 37,231 Reputation points Microsoft Employee Moderator

2024-01-05T20:17:06.02+00:00

@ComputerHabit

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Vasil Michev 124.9K MVP Volunteer Moderator

Technically speaking, you cannot restrict "view" access, even regular accounts get to see all objects within the organization by default. Now, depending on the implementation across the various admin endpoints, you can expect different results. For example, if you login to the Microsoft 365 admin center as user with only an AU-scoped admin role assignment, you will be presented with a trimmed UI, and will only be able to see the users/groups under the AU scope. Logging in to the Azure AD/Entra ID portal with the same user will still display all objects (regardless of the setting you toggled), as technically this is a user with an admin role. He will still only be able to make changes against objects within the scope of the AU, but visibility cannot be restricted.

ComputerHabit 1,051 Reputation points

2024-01-04T18:03:28.5566667+00:00

Boo... :)

I kind of thought so.
Hiram Claytor 1 Reputation point

2024-05-16T19:21:32.2033333+00:00

I am having an issue with scoped AU admins being able to view the full directory in the Microsoft Admin Center. I only want them to see their scoped user list. Any idea how to fix this?
papuga 0 Reputation points

2025-01-03T16:08:20.7066667+00:00

Unless things have changed, we cannot restrict adding computers object to computer groups within an AU even if we scope the permissions to only the AU. Yes, we can scope limit the group edit permissions to an AU, but EntraID still allows the users to add computers from the entire directory. This is the main issue with our team fully migrating to Intune. Our work around is to create and manage groups through SCCM and syncing them to Azure. SCCM seems to have the ability to limit collections within a subset of computers. So even on Intune only managed machines we need the SCCM client to allow us to manage computer groups.

Share via

Can visibility of Entra AD Users and Groups be restricted from Admins

0 additional answers

Your answer