Azure AD - B2B Users can view group members

0
votes

We invite Azure B2B guest users to our AD in order for them to access a web application. Part of this process also adds them as members of a specific security group.

What I have noticed is that a B2B user can log in - (https://account.activedirectory.windowsazure.com) - and is able to see the other members of the group that they are members of.

Given that this information contains customer email addresses then it presents issues relating to GDPR.

The AD Administration Portal user settings are set to "restrict access to Azure AD admin portal"

Any ideas how we could restrict B2B users from being able to enumerate group membership in this manner ?

1
azureazure-active-directoryazure-ad-b2b

1 Answers

0
votes

Let me list some facts

  1. The below part is a manual step that is not related to adding B2B guest user

    Part of this process also adds them as members of a specific security group.

  2. When you create a security group, all members can see the list of available information of other members
  3. As guest users on Azure are identified using their email, the email addresses of all members of a security group will be visible to other group members

The workaround for this is to create separate a security group for each domain (i.e each company or each group of users who have the same @xxxx.com at their email). Then gather all those groups in a single parent security group and assign access to that parent group

This way, all guest users will have the same resource access but each group will be able to see only information about members on their same subgroup