Hey folks! I'm currently testing the security of our M365 tenant and I've run into a situation where standard users can execute commands like "Get-MgUser -All -Property DisplayName,UserPrincipalName,JobTitle,EmployeeId" to export user data into a CSV. While I understand that this access doesn't seem like an immediate threat, I worry that if an account gets compromised, an attacker could quickly export our entire user directory. It feels like there's way too much exposure for gathering information. I notice that disabling this access messes up the Teams search and SharePoint people picker for everyone, and I can't find a way to limit it effectively. Has anyone found any smart solutions or workarounds to mitigate this issue? Especially for temporary staff accounts?
5 Answers
You're right about standard users being able to look up all users in the directory; that's how it's designed to function. It’s more about the services needing that access rather than a flaw in the system. Instead of trying to block access, focus on reducing the risk of accounts getting compromised in the first place.
You can't totally avoid get-mguser commands, but you can tweak some permissions. In the Microsoft Entra admin center, change the setting so only admins can give Graph permissions. This helps a bit to restrict unwanted access.
Even if you try to block access via PowerShell, realize that users can still grab this info in other ways, like through Outlook's cached global address list. The best bet is to focus on solid security practices like least privilege access and MFA instead of just hiding user data.
To limit access without breaking everything, you might consider disabling non-admin access to the Azure Portal and managing group access more strictly. There's also conditional access for mgGraph PowerShell which could help.
Unfortunately, you can’t completely restrict access to user data as it’s necessary for many services. Instead, consider using security tools that monitor unusual activity. If a user is suddenly querying a lot of data, it can trigger alerts for quick action.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures