Is it possible to set up independent Entra ID environments in the same tenant?

elice-cloud-practice-dev 0 Reputation points
2024-01-25T06:03:22.3766667+00:00

I'm looking to create Azure AD hands-on content. We plan to issue accounts to trainees and practice creating users and groups. Is there a way to ensure that only the account information is exposed when a trainee logs in within the same tenant? (Independent environment for each user) For example, when students A and B log in, User A cannot see User B's information, and User A must be able to create a user named User B. Is there a way to satisfy the above conditions?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,217 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,141 Reputation points Microsoft Employee
    2024-01-26T01:30:33.9566667+00:00

    Hi elice-cloud-practice-dev ,

    I understand that you are looking to set up independent environments within your Entra ID tenant so that users cannot see each other's information. There isn't an out-of-the-box way to set up completely segmented environments in one Microsoft Entra ID tenant. However, you could restrict access to users for viewing certain data through these options:

    1)You can use the setting, Restrict access to Microsoft Entra administration portal to prevent standard users from viewing any Microsoft Entra ID data in the administrative portal. That said, this setting does not restrict access to the data by using PowerShell, Microsoft Graph API, or other clients such as Visual Studio. It also doesn't restrict access as long as a user is assigned a custom role (or any role).

    2)You can set -UsersPermissionToReadOtherUsersEnabled to $false . This setting indicates whether to allow users to view the profile info of other users in their company. This setting is applied company-wide. Setting to $False to disables users' ability to use the Azure AD module for Windows PowerShell to access user information for their organization. However, the MSOL module is being deprecated soon. https://learn.microsoft.com/en-us/powershell/module/msonline/set-msolcompanysettings?view=azureadps-1.0

    3)Ultimately the best way to isolate the users to different scopes would be to create multiple directories to keep them separated. If the users need to access the same applications, you can configure multi-tenant applications so that they would have access without being able to browse other user information.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.