2 min read

AAD User Types and Permissions

24 May, 2023

When working with User Principals in Azure Active Directory(AAD), it is good to be aware of the available types and impact each type has on permissions. This will enable us to make an informed decision on the type to choose when creating users in our Directory.

AAD currently supports two types of users: 1) Members and 2) Guests.

Members

Think of users of this type as the internal user principals of the Organisation that the Directory reperesents. By default, these users have broad permissions to the Directory objects and, unfortunately, the amount of control over their permission to other users in the Directory is severely limited. Therefore, I recommend creating users as Members only if it is not imperative that their access to other objects in the Tenant are restricted.

Limiting non-Admin Members' Access

It is technically possible to limit non-admin Members' access to other users' information in the Tenant. However: 1. This can only be done using a (Tenant-wide configuration)[https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#restrict-member-users-default-permissions]. In other words, this setting will apply to every Member in the Tenant. 2. Microsoft does not recommend changing this configuration due to its potential for unforseen side-effects.

You can configure this setting using Powershell like following:

# Connect to Azure AD 
Connect-MsolService
# Disable users' permission to read others data
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

Please note that a non-admin user is one that does not have an AAD Role assigned. Therefore, we can use AAD Roles to provide access to specific users, after having configured the AAD using the setting above.

Guests

AAD users of type "Guest" are meant to reperesent external user principals of the Organisation that the Directory reperesents. Usually, this involves inviting the user into the target Tenant from their home Tenant(B2B). In this case, when logging into the target Tenant, these users authenticate to their home Tenant first.

However, it is possible to convert a user in a Tenant from type Member to type Guest. In this case, there is no B2B flow needed or possible.

There is a (finer-grained option)[https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions] for controlling Guests' permissions to access the Tenant's information:

1. Same as Member: Guests will have the same permissions as Members.
2. Limited: Permissions are "limited". No more details are provided by Microsoft about what this means exactly.
3. Restricted: Guests can only view their own information.

In most cases, I would recommend going with the Restricted option. Please do keep in mind that you can selectively enhance a Guest user's permissions using AAD Role Assignments.