Restricting default permissions in Entra ID portal : Does the settings really work?

In Microsoft Entra, all users are granted a set of default permissions. An user's access consists of the type of user, their role assignments, and their ownership of individual objects like Groups or Applications. These default permissions can be changed in User Settings in Microsoft Entra ID portal.

so, if you want to restrict the non administrative users permissions from browsing the Entra Id portal and prevent them from making changes, it's a good idea to keep the above setting as YES.

However, it’s important to note that these restrictions apply only to the Entra Portal and not to other clients like PowerShell, Graph API, Visual Studio, or IaC such as Terraform. Powershell, Graph API or any other clients like Visual Studio or IaC such as Terraform is out of scope here, as these can always be used to make changes to Entra resources as long as you have the specific roles or permissions assigned.

Thus the scope for discussion here is only browsing through Entra Portal.

Default user permissions - Microsoft Entra | Microsoft Learn from Microsoft provides a guideline to restrict these default permissions.

Below image provides more details on what does the switch do.

But does this really works? Are non-administrative users really prevented from browsing the portal and stopped from making changes? Let us find out!

So, we have the restrict default access set to YES in Entra Portal.

I have a test user which has no administrative permissions, and I login to Entra Portal with the user. As you can see the user does not have the permissions to navigate the admin center and all menu options are not available in left hand side.

and when searching from Groups in search bar it gives the 401 error which represents insufficient permissions.

The test user is an owner for a group in the tenant, but since we have restricted the default permissions, the user is not able to access the group, which is as expected.

The Unexpected!!

Now, if you know the Object ID for the group you are owner of, it's pretty simple to make changes and all the restrictions which are discussed above do not work.

e.g. I know the Object ID of the group which I am owner of and when I navigate to the below link -

https://entra.microsoft.com/?feature.msaljs=true#view/Microsoft_AAD_IAM/GroupDetailsMenuBlade/~/Overview/groupId/3e1649dc-95b5-4649-a39e-0eb06bcf9520/menuId/

which includes the Object ID of the group, I can access the group and make all changes to group membership and properties.

I can change the group name -

or add members / remove members to the group -

and I can delete the group as well!

What happens for the groups which the user is not an owner of? Well if you know the Object ID of the groups, they can still be navigated.

e.g. the below group can still be navigated even if the user is not the owner.

Acquiring group Object IDs can indeed be straightforward and are easy to get, which suggests that Microsoft’s method of limiting access via the Entra portal, through access restrictions, is not entirely impervious and can be circumvented as discussed above.

Microsoft does mentions that restricting default permissions is not a security measure, but at least the permissions should be restricted in the portal as mentioned in docs.

Similarly for Devices , I can navigate all the devices even if I do not have any permissions assigned to the test user.