Restrict User Access to Azure AD to Prevent Data Exposure

On Day 1 of Cybersecurity awareness month, learn to conceal your organization from cyber threats today. Stay tuned for upcoming blogs in the Cybersecurity blog series

In this digital era, everything gets digitized and widely used by everyone. Likewise, tricky hackers are evolving more, and their techniques get multiplied periodically. Although Microsoft comes up with advanced security solutions over time, hackers try to bypass them through a tiny loophole that we might not know about in our security checklist. Most hackers target small and medium businesses, as they might not upgrade to advanced security solutions like large enterprises. They trickily target the least privileged users like interns or vendors to get as much information as they need from your Microsoft 365 environment. They steal the organizational user details, privileges, used devices, device details like OS, device type, and other personal information. Then they hack the user account and steal the organization’s data.  

Insider threats are not viewed as seriously as external threats, like a cyber-attack

– Larry Ponemon

So, we need to have a sharp eye on users’ access rights in the organization and ensure whether they have access to sensitive resources in any way. One of the loopholes is the Microsoft Azure Portal. As the Azure portal contains all the information about users, groups, devices, admin roles, configuration details, and more, hackers can smartly gain the required info. 

Is Azure AD Portal Open to All?

Yes! We may think only users with adequate privileges can access the portal and modify any settings. Do you know that a non-admin can access the Azure portal? Though they can’t change any settings, they can view the user info, group info, device details, user privileges, etc., by navigating portal.azure.com. Thus, hackers can gain all these details through any unprivileged user in the organization without much effort. Isn’t it hazardous?  

How To Restrict User Access to Azure AD Portal?

You can restrict users without administrative privileges from accessing the Azure AD portal using the steps given below. 

• Sign -in to your Azure AD Admin Center. 
• Select Users –> User Settings 
• Move the toggle to ‘Yes’ under the Administration Portal. 
• Select ‘Save’ in the top. 

Now, the non-administrators can’t access Azure AD portal by navigating portal.azure.com. 

Wait! Do you think it’s all done? Has the user restricted completely? As an admin, we should always think out-of-the box while securing data against cyberattacks. Just think, is there any other way in which users get in? 

Yes, it is! Another prominent thing we should consider is Microsoft Entra. It was introduced by Microsoft recently through which users can also access Azure portal. 

Has Microsoft Entra Holds Azure Active Directory?

Microsoft developed Entra to manage all the Microsoft identity and access efficiently across hybrid and multi-cloud environments. It extends its hands broader to Azure Active Directory, GCP, and AWS. Thus, users can access Azure Active Directory by navigating entra.microsoft.com and access the necessary info. 

Why should we consider Entra after blocking Azure Portal access in Azure AD? 

Previously, Microsoft Entra had no concern on Azure portal settings. Even if we restrict access in Azure AD admin center, users can still access the portal through Entra admin center. After contacting Microsoft Support, we found that the only way we could do is to restrict the Entra portal access in the local firewall. Don’t worry! Now, Microsoft addressed the severity and adds value to the Azure AD settings. Now, users can’t access the Azure portal through the Entra admin center too.

Are we done securing Azure AD data?

No, this doesn’t stop here.. A hacker don’t use GUI!

The above works well for end users who don’t use tech tools. However, if a hacker gains access to one such account, then they can use the readily available PowerShell modules such as MSOnline, AzureAD, etc. to get what they want! 😮Don’t worry, we don’t leave you here with this.  

How to Restrict access to MSOnline PowerShell? 

Though MSOnline is a pretty old PowerShell module to use, due to the introduction of AzureAD and Microsoft.Graph modules, it still gives data. That is enough for a someone who needs something, Right? A hacker would say yes.  

So let’s jump in and see how we can restrict users from viewing others’ data from MSOnline. Just three lines of PowerShelling, and you’ll be done.  

Install-Module MSOnline 

Connect-MsolService 

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false 

Now, that we have successfully defended our company from MSOnline module attack, let’s enter the AzureAD battle zone.  

How to restrict users from using AzureAD PowerShell module?

Let’s play with Apps now. It’s great that Microsoft has designed it as an application, we simply have to set who can access this application. Tada, others are restricted from accessing. 👏

Microsoft has backed me up by preparing a PowerShell script to do this! 

https://learn.microsoft.com/en-us/schooldatasync/blocking-powershell-for-edu#block-powershell-for-everyone-except-a-list-of-admins

Finally, are we done securing Azure AD data at least now?

Not yet; there is still more. We’ll come up with a few more blog posts to address as much as possible. Stay tuned!

Watch out our cyber security awareness month blog series to restrict hackers from leveraging other loop holes in Azure AD to expose sensitive info!

I hope we’ve made you aware of possible unwanted exposure of Azure AD data, and also the steps to secure from all those weak links. Share your thoughts or ideas in our social media pages. Mission on!