Forum Discussion
Hide Groups from a Guest User
How can I hide the list of Office 365 Groups in my tenant.
When a guest account is added through Azure AD and the invite email is sent, they follow the instructions to login into the Guest tenant and end up on this landing page.
https://account.activedirectory.windowsazure.com/r#/applications
The Guest User can then click on Groups and Join Group and see a list of all the tenant groups and the members of any of the groups.
How is this possible? A guest user shouldn't be able to see a list of internal groups. The names alone could possibly give away important information (internal project, other third party companies, etc.)
Surely there should be a boundary for listing groups between an internal and external user?
From my perspective, your approach should be the standard and not the other way around.
I come across this article many years later and still: Group membership enumeration is possible and causes risks for organisations. It's easy to identify C-Level or Admin accounts by just poking around in a default setup.
I found some settings via Powershell to hide group memberships, but would assume that many customers share their memberships without knowing it. The description left the taste that I would assume something "super secretive", but it a general measure which is nothing special.The term "non-hidden groups" causes confusion to me, since it leaves the feeling that an admin would have to "unhide" memberships and causes a wrong sense of security.
Edit: Ah and of course: There is a more restrictive option now, but it isn't default. Which leads back to poking around in default setups.
You can edit the dynamic membership rules of the group "All users" to exclude Guest users.
Go to Azure Active Directory -> Groups
Select the "All users" group and go to "Dynamic membership rules".
Edit the "Rule syntax"
To only include users of type Member enter the following query:
(user.objectId -ne null) and (user.userType -eq "Member")https://docs.microsoft.com/en-us/azure/active-directory/external-identities/use-dynamic-groups
Hi Toby, great finding and thank you for the post! This is not as it should be in my opinion.
But... You can modify it in the Azure portal.
Azure Active Directory -> Groups -> General (settings)
Change the 'Restrict acces to group membership requests in the Access Panel' to Yes
Also you can change the following settings:
- 'Users can create security groups in Azure portals'
- 'Users can create Office 365 groups in Azure portals'
If posted this feedback on uservoice for us all to vote on.
- Just to clarify, this will apply to both members and guests also!
adam deltingerThis setting still doesn't hide the Groups icon from the panel. A guest user can see all my Azure AD user accounts because they are a member of the "All Users"
Is there anyway to hide the whole app ? There is no reason for a user I am sharing a OneDrive file to be able to see.
- Thanks for this information
Yes there boundaries but they will have read on for example groups etc! This is the way it works! Surely you can hide from Gal etc..
Please see the following docyment:
Adam
Understand that's the way it works, doesn't necessarily mean it the right way.
I would have thought that when a guest user is added to a tenant it should be given the least permissive permissions by default and then further permissions can be added if needed dependent on the role of the Guest User.
Is there a setting or policy that can be applied to remove browse permissions on groups you are not a member of? So for example if I had a Security Group setup that has dynamic membership for all Guest Users that say that members of this group can not browse Office 365 Groups (or any other groups)
- This is the least permission already! You can set guests to browse all the directory like internal users too
