This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 79%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
We have recently restricted access to the Azure AD admin portal for none-admins.
App owners are now greeted by the following message: "Your administrator has disabled the App registrations experience in the Azure portal. You can still register or manage applications using PowerShell or another client such as Visual Studio."
How do we let owners manage their apps through the portal, instead of Powershell or VS, which is not the most desired solution?
I understand that they can be temporarily assigned the 'Application Administrator'-role by utilizing access reviews. However, this would let them manage all the other enterprise applications in our tenant as well, which is not applicable.
Surely there must be some other alternatives? Any ideas? Thanks!
Consider using a Cond Access Policy to block uses to the Azure portal - excluding users who need access to the apps they own.
https://osddeployment.dk/2017/06/24/a-standard-azuread-user-have-access-to-browse-the-admin-portal/
Hi AndyDavid,
Thanks for the suggestion. Looks quite promising!
I tried to set this up according to the article you provided. However, upon further testing it would seem that the App owners (all placed in an excluded security group) would require access to the cloud app "Microsoft Azure Management".
This cloud app gives them unfortunately way too much control in the rest of the portal, such as allowing them to create their own resource groups, user groups etc.
According to Microsoft, "Microsoft Azure Management" consists of the following services:
This is a real bummer, I must say!
Thanks AndyDavid, we will further look into CA policies. Seems like a great way to solve this.
It seems like the cloud app "Microsoft Azure Management" restricts our developers from logging into services like Azure Devops. Any idea on how to bypass that?
Hello @Thijs1,
As @Andy David - MVP mentioned Azure AD CA way would be helpful in this situation.
So when you choose the "Microsoft Azure Management" cloud app through Conditional Access (AAD CA) which includes multiple services, but this doesn't enable any additional control to users at resource level like creating resource groups in subscription because it is only portal entry level allow/deny access.
Azure resources access are controlled through RBAC role by default so without right RBAC role, user access would be denied. For example, I built an AAD CA policy that restricts access to all users except a few who are application owners, so that when normal users try to access Azure Portal, their access is restricted, but owners can continue to access portal.azure.com to manage their owned AAD apps.
However, if the application owner attempts to create a Resource Group or Manage resources from the Azure portal, they will receive the following error because the ARM (Azure resource manager) validates whether that particular user has RBAC role access to the given subscription; if not, they receive an error while creating any resources.
I'd request you to check if those user in your scenario has any RBAC role access at the subscription level? which could have enabled them to create a resource group. Please help me in better understanding if I have missed something. Thanks
Hope this was helpful.
sikumars-msft, thank you very much for your very thorough reply.
I must admit that my initial testing was lacking a bit. It seems like this could be a perfect solution for us to further invest into.
You have been really helpful, thanks!