Search code examples
azurepermissionsazure-active-directorymember

Restricting Member permissions on azure active directory

We have developed a webapp and configured its authentication to use our Azure Active Directory tenant. This works fine. We have clients which are other organizations and when a user from one of those clients authenticates they are presented with content that is specific to their organization. This also works fine.

Under the hood: To accomplish this, in our tenant we have created groups (one for each client) and we have invited users from those clients and assigned them to the appropriate groups (after they are added we have to manually change their user type from 'Guest' to 'Member')

Problem: If one of our clients signs in to Azure AD they are able to see ALL other groups and all other users. They are also able to add and delete groups and do virtually everything our global administrator account can! This tells me we have done something very very wrong. We are new to Azure AD and there appears to be very much about it that we do not understand.

What I've tried.

Read about administrative units (that doesn't seem to be it)

Roles and administrators: this page has a long list of roles which have check boxes next to them that appear to do nothing.

Home > Tenant > Users > Username > Assigned Roles > Add Assignment: I can select from any of that same list of roles but they are all different kinds of administrators. This would seem to be granting more permissions, not taking them away.

Home > Tenant > Groups > Groupname > Roles and Administrators: This page simply says "no roles found"

Essentially I need our members to not be able to do anything on azure AD except return a list of the groups they are in as well as their own details (name, email, profile picture, etc.)

Solution

  • Assuming you are adding the client users in a specific that group itself already have some admin privileged/Global Administrator/Directory writer Permission. In that case only user can do operations on group and other users’ data.

    Would suggest you check at the Group->Role and administrator & User->Role and Administrator should have only Directory Read permission.

    enter image description here

    For me in User->Assigned Role->Active Assignment only have Directory Read Role permission so I can only see my details and list of groups that is present in Active Directory but can not do any operation on any group/users like write/delete/update expect read.

    Note: To assigned role at the group level you require an Azure AD Premium P1 license.

    Update

    For assiging role to group please go through in this way---

    AAD->Role and Adminsitrator-> Select Role->Add Assigment->Select Member(Group)