Apr 4, 2017

[Updated]Unintended access rights are granted by sharing contents on OneDrive for Business

In the last article I posted, I made an attention to Office365 administrators that by enabling external sharing unintended access rights are granted to guest users.

Recently, Microsoft team added new capabilities on Azure Portal to restrict accessing directory configuration by guest users and non-admin users.

With this new capability, administrators are not required to use conditional access to deny guest users accessing to directory configuration which requires Azure AD Premium P1 license as I wrote on the last article.

You can use this capability with following instructions.

1. Restrict guest access to directory configuration

To restrict guest access to directory configuration, administrators are required to enable 'Guest users permissions are restricted' option to 'Yes'. *Normally no actions are needed because the default value for this option is 'Yes'.

After enabling this option, guest users can not access directory configurations.

*Note) This option is only for prohibiting access to directory configuration, so guest users are still able to access Azure Portal itself.


2. Restrict non-admin access to directory configuration

The second option prohibits non-admin access to directory configuration.

On the same menu on Azure AD configuration page, there is another new option which name is 'Restrict access to Azure AD administration portal'.

By enabling this option, non-admin users are prohibited to access to Azure AD administration portal so that they can not see directory configuration any more.
*Notes) The default value for this option is 'No', so if you want to restrict to access by non-admin users, you have to set 'Yes' explicitly for this option.

Safe enough?

By enabling these options, administrators can prevent unintended access to directory configurations. But guest users and non-admin users are still able to access to the access panel, https://myapps.microsoft.com, and can see application icons which are assigned to 'All Users' group. So admins still have to take care when creating applications on Azure AD by assign to specific group which does not include guest users alternative to use 'All Users' group as I wrote on the last article.

Cheers,
Naohiro