Security - Default Azure user created for Office 365 mailboxes.

asked 2020-06-10T19:48:47.157+00:00
John Jr 21 Reputation points

I noticed that all our users created in Office 365 get an Azure account too. This normally would not be a problem, but it looks like even a low privileged user can login to Azure, view all users, memberships, devices, and domains.

I found conditional policies can be setup, but it looks like as long as a user can sign-in, they can login to Azure and view all this data.

Our tenant only has a few users that login to Azure as a domain, but the rest use Office 365 to login.

Azure Active Directory Priviledged Identity Management
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
659 questions
No comments
{count} votes

Accepted answer
  1. answered 2020-06-11T06:23:26.277+00:00
    AmanpreetSingh-MSFT 55,186 Reputation points

    Hello @JohnJr-9222

    You can use below option to restrict any Non-administrator user from accessing Azure Active Directory:

    Azure Portal > Azure Active Directory > Users > User Settings > Restrict access to Azure AD administration portal and set it to Yes

    9695-capture.jpg


    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    No comments

1 additional answer

Sort by: Most helpful
  1. answered 2020-06-10T20:09:25.673+00:00
    Vasil Michev 61,316 Reputation points Microsoft MVP

    You can restrict access on several levels, including restricting access to the portal, as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#to-restrict-the-default-permissions-for-member-users