Urgent: Restrict Non-Admin Users from Viewing All Users in Azure

Question

Urgent: Restrict Non-Admin Users from Viewing All Users in Azure

26652748 0

Dear Team,

I need to modify the Azure profile for users who are not admins. Currently, students with an A3 license can view all users in the Office 365 admin panel without editing on it , which should not be the case.

Please assist in restricting their access as soon as possible. This is an urgent request.

Regards,

Jose Benjamin Solis Nolasco 1,046 Reputation points

2025-03-18T19:06:52.8266667+00:00

Just in case

In Azure Active Directory (and consequently in Office 365), every authenticated user is granted the Directory Readers permission by default. This means that—by design—all users in your tenant can view basic directory information (such as names, email addresses, and other identifier details) for other users. Microsoft built this functionality into Azure AD to support collaboration and help users easily find contact information.

Does they have permition to edit? or just view?
26652748 0 Reputation points

2025-03-18T20:00:06.31+00:00

No just view , i dont want them to view all users its making a lot of problems
Navya 17,490 Reputation points Microsoft External Staff

2025-03-20T08:08:54.04+00:00

Hi @26652748

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back. If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Navya 17,490 Reputation points Microsoft External Staff

2025-03-21T07:21:53.79+00:00

Hi @26652748

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

1 answer

Your answer

Jose Benjamin Solis Nolasco 1,046 Reputation points

2025-03-18T19:06:52.8266667+00:00

Just in case

In Azure Active Directory (and consequently in Office 365), every authenticated user is granted the Directory Readers permission by default. This means that—by design—all users in your tenant can view basic directory information (such as names, email addresses, and other identifier details) for other users. Microsoft built this functionality into Azure AD to support collaboration and help users easily find contact information.

Does they have permition to edit? or just view?
26652748 0 Reputation points

2025-03-18T20:00:06.31+00:00

No just view , i dont want them to view all users its making a lot of problems
Navya 17,490 Reputation points Microsoft External Staff

2025-03-20T08:08:54.04+00:00

Hi @26652748

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back. If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Navya 17,490 Reputation points Microsoft External Staff

2025-03-21T07:21:53.79+00:00

Hi @26652748

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Answer 1

Hi @26652748

By default, Microsoft Entra ID (Azure AD) allows any user to access and read data about other users, which can potentially expose sensitive information.

In Entra ID, you can restrict access to the default user settings that allow reading all user attributes. To do this, you need to set the "Read other users" permission to false. This setting is available only in Microsoft Graph and PowerShell.

Setting this flag to $false prevents all non-admin users from reading user information from the directory. However, this flag does not prevent users from accessing information in other Microsoft services like Exchange Online. Additionally, Microsoft does not recommend setting this flag to $false.

Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"
$BodyParams = @{
    defaultUserRolePermissions = @{
        allowedToReadOtherUsers = $false
    }
}
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy" -Method PATCH -Body $BodyParams

Once applied, non-admin users will see restricted access in the Entra Admin Center as shown below.

User's image

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Urgent: Restrict Non-Admin Users from Viewing All Users in Azure

1 answer

Your answer