Restricting Member permissions on azure active directory - azure

We have developed a webapp and configured its authentication to use our Azure Active Directory tenant. This works fine. We have clients which are other organizations and when a user from one of those clients authenticates they are presented with content that is specific to their organization. This also works fine.
Under the hood: To accomplish this, in our tenant we have created groups (one for each client) and we have invited users from those clients and assigned them to the appropriate groups (after they are added we have to manually change their user type from 'Guest' to 'Member')
Problem:
If one of our clients signs in to Azure AD they are able to see ALL other groups and all other users. They are also able to add and delete groups and do virtually everything our global administrator account can! This tells me we have done something very very wrong. We are new to Azure AD and there appears to be very much about it that we do not understand.
What I've tried.
Read about administrative units (that doesn't seem to be it)
Roles and administrators: this page has a long list of roles which have check boxes next to them that appear to do nothing.
Home > Tenant > Users > Username > Assigned Roles > Add Assignment: I can select from any of that same list of roles but they are all different kinds of administrators. This would seem to be granting more permissions, not taking them away.
Home > Tenant > Groups > Groupname > Roles and Administrators: This page simply says "no roles found"
Essentially I need our members to not be able to do anything on azure AD except return a list of the groups they are in as well as their own details (name, email, profile picture, etc.)

Assuming you are adding the client users in a specific that group itself already have some admin privileged/Global Administrator/Directory writer Permission.
In that case only user can do operations on group and other users’ data.
Would suggest you check at the Group->Role and administrator & User->Role and Administrator should have only Directory Read permission.
For me in User->Assigned Role->Active Assignment only have Directory Read Role permission so I can only see my details and list of groups that is present in Active Directory but can not do any operation on any group/users like write/delete/update expect read.
Note: To assigned role at the group level you require an Azure AD Premium P1 license.
Update
For assiging role to group please go through in this way---
AAD->Role and Adminsitrator-> Select Role->Add Assigment->Select Member(Group)

Related

Restrict Users from adding to groups manually in Azure

I need to restrict the users from adding to the groups manually in Azure, any help on this issue?
Thanks #Rahul Shukla for your suggestion .
Restrict Users from adding to groups
Give the user with reader or contributor permission to the user .
if you add that user the reader permission they will then be able to read any resource in the subscription, but not modify anything.
For more details refer this document: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current
2)Prevent admin to add the users to group
Create review process in places where if any user gets added in the group admin will get notification for the same and based on admin approval only it will gets added.
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access
For more details refer this document: https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

Azure AD Self Service Group Management

I would like Azure AD Group Owners to manage the membership of their own groups through the Azure portal. I would like to grant the minimum permissions required for group management. I have added a user as the owner of a **non-**mail enabled, cloud-only Azure AD security group. The account is a guest account. Under group settings, I have set
'Owners can manage group membership requests in the Access Panel' to 'Yes'
'Restrict access to Groups in the Access Panel' to 'No'
'Owners who can assign members as group owners in Azure portals' to 'All'
When this user logs in, they see the list of group members very briefly (less than a second) and then the error message, 'Access denied. You do not have access.' appears. I have verified this behavior across multiple accounts, computers, and browsers. I have verified that I can access the Group Members page on my laptop on one account but cannot from a more restrictive account that is not a Global Admin.
What am I missing?
I figured it out as soon as I posted. The Azure AD App Portal has a link to your groups. Clicking that link to groups takes you to a page where you can manage group membership.

Adding members to a Group as a Group Owner in Azure Portal for an Azure AD tenant

As a POC, I created a guest user, ex: 'OwnerABC#website.com' and made the user a Group Owner. According to the documentation and my group settings, I should be able to add members/modify changes with the group as the Group Owner, but I'm unable to do so. When I login as 'OwnerABC#website.com' in Azure Portal UI, I change to the correct tenant and I do not see any groups or users.
I also tried going to myapps.microsoft.com and I try adding a user. The search returns empty for any user I want to add to the group that I'm the owner of. It then gives me an unexpected error page.
enter image description here
What other privileges does the Group Owner need or is there somewhere else that a Group Owner, who is not a global administrator, need to go to make changes to the group?
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups
Most probably the "User Settings" for "External Users" in your Azure Active Directory is set to "Yes" for "Guest users permissions are limited" setting. When this setting is set to "Yes" by default Guest users aren't able to do certain tasks like enumerating users, groups and other directory resources.
See screenshots below for checking this setting and description.
Go to Azure Portal > Azure Active Directory > User Settings > Manage External Collaboration Settings (under External Users)
On clicking "Manage external collaboration settings" you should see
So now you have 2 possible ways to achieve what you're looking to do:
Change this setting to "No". Once you've changed the setting, try to login to Azure Portal as the external user OwnerABC#website.com again and you should be able to see other users. (Just give it a couple of minutes after changing the setting for this to reflect. It took a little time in my case at least)
As you can understand the setting above is generic and applies to all guest users in your directory. If you want to do something special only for this guest user, then don't change the setting and let it stay at "Yes", but assign an appropriate "Directory role" to user OwnerABC#website.com. This way only this guest user gets to see other users and not all other users.
Assigning a "Directory role" can be done by navigating to Azure AD > Users > Specific User (OwnerABC#website.com) > Directory role > Add role

Everyone, All Users, and Authenticated Users in Azure Active Directory

I am using an Azure Analysis Services instance and need to grant access to all authenticated users in the domain. The problem is that I don't see any groups within our Azure AD tenant that resemble "everyone" or "authenticated users". It looks like this is something that can be accomplished with dynamic groups, but I wanted to check and see if maybe I'm overlooking a group that is already available in the tenant by default containing all authenticated users.
Thanks,
Eric Theil
From https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership:
Create an "All users" rule
You can create a group containing all users within a tenant using a membership rule. When users are added or removed from the tenant in the future, the group's membership is adjusted automatically.
The “All users” rule is constructed using single expression using the -ne operator and the null value. This rule adds B2B guest users as well as member users to the group.
user.objectid -ne null

One login for multiple Azure subscriptions?

I have two azure subscriptions, one personal, tied to my Microsoft ID, and another under a different Microsoft ID for a charitable organization where I am the one-man IT/web dev guy. I created the org's azure account/subscription myself. I can't figure out how to create websites, etc. under my personal MS ID login without logging in and out of the separate microsoft IDs to manage both sets of Azure resources.
Logging in with the org's MS ID, in the azure portal I've made my personal ID a subscription admin (Subscriptions>Access Control>Add my personal MS ID, then right clicked to make co-administrator. This is confirmed since now a right click shows "Remove co-admin" so that implies it's correctly set up as a subscription co-admin. That user is also in the Owner Role.
Step 2, in the Active Directory for the org subscription, Users and Groups>All Users>New User, added my personal MS ID. Then I select that user, click Directory Role on the left menu, and selected Global Administrator radio button and save.
So now my personal MS ID user is a subscription co-admin and a AD Global admin in the org's azure portal.
To check, if I then go to any resource group or App Service and look at Access control I see my personal MS ID user listed as an Owner for that resource and all other resources. So everything looks good.
So if I log out of the org ID and log in with my personal MS ID and go to the Azure portal, I see my usual personal Azure account resources. But I don't understand how to either see and manage those resources in the org's Azure subscription or how to switch subscriptions, or switch directories (it's not listed on the top right), and when creating a new resource, I have no option for the org's subscription to use. How do I see/manage those resources in the org's directory? Is this even possible? Or do I need to log out and log in with the org's MS ID, which is a major annoyance since it also logs me out of outlook etc. when I switch IDs.
Azure Subscriptions are "housed" within a specific Azure Active Directory Tenant. You should treat an AAD Tenant as the top level object structure, in that each Tenant is entirely separated from each other Tenant.
If you had multiple subscriptions within a single tenant, you would be able to sign in one time, and gain access to all those subscriptions.
However, since these subscriptions look like they are in different Tenants, there is no way to avoid logging in two times to access the two subscriptions. To expand on this, there would be no way to avoid logging in two times to access any unique objects across these two Tenants.
For me, the answer was
Access Azure portal login page
Click "Sign in as a different user"
type the exact same email address
select "School or Work account" option.
This one was tied to the Azure AD and they reset my password through there. Not sure it really helps you cos signing in and out all the time still a thing, but it took me far too long to get this right so thought i'd share.

Resources