Skip to main content

Default Authorization Settings - Default User Role Permissions - Allowed to read other users

Prevents all non-admins from reading user information from the directory. This flag doesn't prevent reading user information in other Microsoft services like Exchange Online.

NameallowedToReadOtherUsers
ControlDefault Authorization Settings
DescriptionManages authorization settings in Azure AD
SeverityInformational

How to fix

Details of configuration item

RecommendationRestrict this default permissions for members have huge impact on collaboration features and user lookup.
Configurationpolicies/authorizationPolicy
SettingdefaultUserRolePermissions.allowedToReadOtherUsers
Recommended Value'true'
Default Valuetrue
Graph API DocsauthorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph ExplorerOpen in Graph Explorer

MITRE ATT&CK

TacticTechniqueMitigation
TA0043 - Reconnaissance - Reconnaissance