To celebrate the availability of the Active Directory Administration Cookbook, I decided to write a blogpost in the typical structure of a recipe in this book:
Disabling account enumeration
Use this recipe to disable account enumeration for an Azure Active Directory tenant. After completing this recipe, people with user accounts in the tenant will no longer be able to list the other accounts.
To complete this recipe, you’ll need to sign into the Azure AD tenant with an account that has the Global administrator role assigned to it.
This recipe does not require any additional licenses. The functionality described in this recipe is included in all Azure AD tenants, including those configured as Azure AD Free.
This recipe requires the MSOnline Windows PowerShell Module. Use the following line of Windows PowerShell on a Windows or Windows Server system that runs Windows PowerShell 5.0, or higher and has Internet connectivity, in an elevated Windows PowerShell window:
Press Yes twice.
When the MSOnline Windows PowerShell Module is already installed, run the above line of Windows PowerShell to update it before continuing with the recipe.
How to do it
Perform these steps:
- Open a Windows PowerShell window on the device or server where you have installed the MSOnline PowerShell module.
- Execute the following line of PowerShell to import the MSOnline Windows PowerShell Module:
- Execute the following line of PowerShell to sign into the Azure AD tenant:
- The Sign in to Azure AD Connect Health Agent window appears:
- Sign in with an account in Azure Active Directory that has the Global administrator role assigned.
- Perform multi-factor authentication, when prompted.
- Execute the following line of PowerShell to configure the Azure AD tenant:
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
- Close Windows PowerShell.
How it works
This recipe uses the MSOnline Windows PowerShell module.
Microsoft recommends to use the newer AzureAD Windows PowerShell Module. However, as per the current version of this module the functionality to perform the steps in this recipe is not (yet) available.
By importing the Windows PowerShell module before issuing cmdlets from the module, tab completion is available under all circumstances.
The Connect-MsolService cmdlet instructs PowerShell to connect to the Azure AD tenant. As no credentials are supplied in the above example, a prompt appears to ask for credentials. When multi-factor authentication, Azure AD Privileged Identity Management (PIM) or other information security measures are enabled, perform the required steps to successfully authenticate.
When successfully authenticated, the Set-MsolCompanySettings cmdlet configures the Azure AD tenant with the required settings.
To find the differences between the MSOnline and AzureAD Windows PowerShell modules and their history, look at the state of Azure AD PowerShell today.
There’s even more!
Account enumeration is labeled Account Discovery in the MITRE ATT@CK knowledgebase and tagged with ID T1087. Find out more about this adversary tactic and its impact by visiting the MITRE ATT&CK knowledgebase.