HOWTO: Disable account enumeration in Azure Active Directory

Reading Time: 3 minutes

PowerShell

To celebrate the availability of the Active Directory Administration Cookbook, I decided to write a blogpost in the typical structure of a recipe in this book:

   

Disabling account enumeration

Use this recipe to disable account enumeration for an Azure Active Directory tenant. After completing this recipe, people with user accounts in the tenant will no longer be able to list the other accounts.

 

Getting ready

To complete this recipe, you’ll need to sign into the Azure AD tenant with an account that has the Global administrator role assigned to it.

Notification topicThis recipe does not require any additional licenses. The functionality described in this recipe is included in all Azure AD tenants, including those configured as Azure AD Free.

This recipe requires the MSOnline Windows PowerShell Module. Use the following line of Windows PowerShell on a Windows or Windows Server system that runs Windows PowerShell 5.0, or higher and has Internet connectivity, in an elevated Windows PowerShell window:

Install-Module MSOnline

Press Yes twice.

When the MSOnline Windows PowerShell Module is already installed, run the above line of Windows PowerShell to update it before continuing with the recipe.

 

How to do it

Perform these steps:

  1. Open a Windows PowerShell window on the device or server where you have installed the MSOnline PowerShell module.
  2. Execute the following line of PowerShell to import the MSOnline Windows PowerShell Module:

    Import-Module MSOnline

  3. Execute the following line of PowerShell to sign into the Azure AD tenant:

    Connect-MsolService

  4. The Sign in to Azure AD Connect Health Agent window appears:

    Sign in to your account

  5. Sign in with an account in Azure Active Directory that has the Global administrator role assigned.
  6. Perform multi-factor authentication, when prompted.
  7. Execute the following line of PowerShell to configure the Azure AD tenant:

    Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false 

  8. Close Windows PowerShell.

 

How it works

This recipe uses the MSOnline Windows PowerShell module.

Notification topicMicrosoft recommends to use the newer AzureAD Windows PowerShell Module. However, as per the current version of this module the functionality to perform the steps in this recipe is not (yet) available.

By importing the Windows PowerShell module before issuing cmdlets from the module, tab completion is available under all circumstances.

The Connect-MsolService cmdlet instructs PowerShell to connect to the Azure AD tenant. As no credentials are supplied in the above example, a prompt appears to ask for credentials. When multi-factor authentication, Azure AD Privileged Identity Management (PIM) or other information security measures are enabled, perform the required steps to successfully authenticate.

When successfully authenticated, the Set-MsolCompanySettings cmdlet configures the Azure AD tenant with the required settings.

 

There’s more!

To find the differences between the MSOnline and AzureAD Windows PowerShell modules and their history, look at the state of Azure AD PowerShell today.

 

There’s even more!

Account enumeration is labeled Account Discovery in the MITRE ATT@CK knowledgebase and tagged with ID T1087. Find out more about this adversary tactic and its impact by visiting the MITRE ATT&CK knowledgebase.

3 Responses to HOWTO: Disable account enumeration in Azure Active Directory

  1.  

    Thanks for tip. Does it change some behave of other apps? Like auto-complete for SharePoint or OneDrive sharing and Planner task assignment?

  2.  

    Only one problem – it breaks things in Office 365 like Teams. See known issues: https://docs.microsoft.com/en-us/microsoftteams/known-issues

  3.  

    A year plus has passed since this article was penned, and Microsoft has still not adequately addressed issues related to user attribute enumeration. Why can we still not mark specific attributes as confidential and limit access to them? It seems like such an obvious requirement and is commonly used in every on-premise AD installation.

    The inability to manage attribute access has a direct negative impact on the adoption of certain Azure functionality such as Azure Federation. Who is going to use Azure Federation if all the associated attributes can be dumped by any valid user. The use of PowerShell to enumerate user accounts and all their attributes is a very common step in many attacks.

    And, don't forget, disabling it at the "company" level as outlined in this article is not recommended by Microsoft.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.