Default Authorization Settings - Default User Role Permissions - Allowed to read other users

Prevents all non-admins from reading user information from the directory. This flag doesn't prevent reading user information in other Microsoft services like Exchange Online.

Name	allowedToReadOtherUsers
Control	Default Authorization Settings
Description	Manages authorization settings in Entra ID (Azure AD)
Severity	Info

How to fix

Microsoft Graph PowerShell: PolicyAuthorizationPolicy -BodyParameter @{DefaultUserRolePermissions = @{AllowedToReadOtherUsers = $false}}

Details of configuration item

Recommendation	Restrict this default permissions for members have huge impact on collaboration features and user lookup.
Configuration	policies/authorizationPolicy
Setting	defaultUserRolePermissions.allowedToReadOtherUsers
Recommended Value	'true'
Default Value	true
Graph API Docs	authorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph Explorer	Open in Graph Explorer

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0043 - Reconnaissance - Reconnaissance