limiting view of the Azure AD Administrator roles groups membership to Administrators only

0
votes

By default all the Azure AD users can go to the Azure portal and view the memberships of the Administrator roles, including Global Administrator Role. this will give opportunity to hacker to view the high privilege accounts if they get access to a casual user account and try to hack the high privilege account.

Is there a way to limit viewing and reading memberships of the Azure Administrator Roles to only administrators without breaking any functionalities.

I have implemented PIM, but I still think it is unnecessarily that all the Azure AD users are abled to view the Administrator role group memberships.

thanks, Majid

read the previous posts

2
azure-active-directory
I don't think there is. Members (not guests) can always view user and group lists.juunas

2 Answers

2
votes

Thank you for taking the time to post. Today, there isn't a way to do what you describe above (though we hear your feedback, and hear it from other customers as well).

Under Users -> User Settings there is a switch "Restrict access to Azure AD administration portal" which will allow you to disable the ability for non-admins to view information in the Azure AD portal. However, this disables access to all information in the portal, not just role membership. Also, it does not restrict users' ability to view the information using PowerShell.

Regards, Vince

0
votes

I found answer to this question, it can be done by Azure Conditional Access