Security - Default Azure user created for Office 365 mailboxes.

John Jr 21 Reputation points
2020-06-10T19:48:47.157+00:00

I noticed that all our users created in Office 365 get an Azure account too. This normally would not be a problem, but it looks like even a low privileged user can login to Azure, view all users, memberships, devices, and domains.

I found conditional policies can be setup, but it looks like as long as a user can sign-in, they can login to Azure and view all this data.

Our tenant only has a few users that login to Azure as a domain, but the rest use Office 365 to login.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,261 questions
Microsoft Entra
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,486 Reputation points
    2020-06-11T06:23:26.277+00:00

    Hello @JohnJr-9222

    You can use below option to restrict any Non-administrator user from accessing Azure Active Directory:

    Azure Portal > Azure Active Directory > Users > User Settings > Restrict access to Azure AD administration portal and set it to Yes

    9695-capture.jpg


    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Vasil Michev 99,936 Reputation points MVP
    2020-06-10T20:09:25.673+00:00

    You can restrict access on several levels, including restricting access to the portal, as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#to-restrict-the-default-permissions-for-member-users