如何使用PowerShell禁止非管理员用户访问Azure AD [英] How to prohibit access of non-administrator users to Azure AD using PowerShell

问题描述

我们的大学为学生，教职员工使用普通的Office 365租户.

Our university uses a common Office 365 tenant for students, faculty, and staff.

在我们的大学政策中，要求使用IT系统来防止学生访问其他学生的个人信息.  这种政策在许多大学中很常见.

In our university policy, IT systems are required to prevent students from accessing other student's personal information.  This kind of policy is common in many universities.

在Office 365租户的默认设置中，任何用户都可以通过使用PowerShell访问来检索Azure Active Directory中的所有用户信息.为避免这种情况，我们在Azure AD中将UsersPermissionToReadOtherUsersEnabled设置为false.  在此之下 设置，非管理员用户可以使用PowerShell访问Azure AD，但不能在Azure AD中读取其他用户的信息.

In the default setting of Office 365 tenant, any user can retrieve all user information in Azure Active Directory by accessing with PowerShell.  To avoid this, we set UsersPermissionToReadOtherUsersEnabled to false in our Azure AD.  Under this setting, non-administrator users can access to Azure AD using PowerShell but can't read other user's information in Azure AD.

但是，如Microsoft Teams的已知问题< https://docs.microsoft.com/en-us/microsoftteams/known-issues>中所述，当UsersPermissionToReadOtherUsersEnabled设置为false时，Teams不能实际使用.

However, as described in Known issues for Microsoft Teams <https://docs.microsoft.com/en-us/microsoftteams/known-issues>, when UsersPermissionToReadOtherUsersEnabled is set to false, Teams can't be used practically.

是否可以使用PowerShell禁止非管理员用户访问Azure AD?

Is there any way to prohibit access itself of non-administrator users to Azure AD using PowerShell?

推荐答案

您是在寻找编程方式来分配角色，还是在引用Powershell访问本身? />
您可以通过Powershell配置基于角色的访问控制，并根据用户或组角色分配来设置权限.如果您尚未查看此信息，请参阅全面的Microsoft指南. https://docs.microsoft.com/zh-CN/azure/role-based-access-control/role-assignments-powershell

Are you looking for a programmatic way to assign roles, or are you referring to the Powershell access itself?

You can configure roles-based access control through Powershell and set permissions based on user or group role assignment. If you have not reviewed this information already, refer to the comprehensive Microsoft guide. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-powershell

您还可以设置条件访问策略以限制对资源的访问.

You can also set conditional access policies to restrict access to resources.

这篇关于如何使用PowerShell禁止非管理员用户访问Azure AD的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！