Restricting Member permissions on azure active directory
Question
We have developed a webapp and configured its authentication to use our Azure Active Directory tenant. This works fine. We have clients which are other organizations and when a user from one of those clients authenticates they are presented with content that is specific to their organization. This also works fine.
Under the hood: To accomplish this, in our tenant we have created groups (one for each client) and we have invited users from those clients and assigned them to the appropriate groups (after they are added we have to manually change their user type from 'Guest' to 'Member')
Problem: If one of our clients signs in to Azure AD they are able to see ALL other groups and all other users. They are also able to add and delete groups and do virtually everything our global administrator account can. This tells me we have done something very very wrong. We are new to Azure AD and there appears to be very much about it that we do not understand.
What I've tried.
Read about administrative units (that doesn't seem to be it)
Roles and administrators : this page has a long list of roles which have check boxes next to them that appear to do nothing.
Home > Tenant > Users > Username > Assigned Roles > Add Assignment : I can select from any of that same list of roles but they are all different kinds of administrators. This would seem to be granting more permissions, not taking them away.
Home > Tenant > Groups > Groupname > Roles and Administrators : This page simply says "no roles found"
Essentially I need our members to not be able to do anything on azure AD except return a list of the groups they are in as well as their own details (name, email, profile picture, etc.)
1 answers
solution1
0 2022-01-31 10:35:08
Assuming you are adding the client users in a specific that group itself already have some admin privileged/Global Administrator/Directory writer Permission . In that case only user can do operations on group and other users' data.
Would suggest you check at the Group->Role and administrator & User->Role and Administrator should have only Directory Read permission.
For me in User->Assigned Role->Active Assignment only have Directory Read Role permission so I can only see my details and list of groups that is present in Active Directory but can not do any operation on any group/users like write/delete/update expect read .
Note: To assigned role at the group level you require an Azure AD Premium P1 license .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.