Nevermind found it https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions
How to restrict a contributor from accessing active directory?
I have an employee who needs azure access to, say, create azure sql databases. I do not want them to be able to access active directory in any way. Is it possible to set them up like that? They get access to the cli so they can create azure sql databases, but they can't run any commands against active directory?
2 answers
Sort by: Most helpful
-
-
Sandeep G-MSFT 18,281 Reputation points Microsoft Employee
2023-03-27T03:45:54.25+00:00 I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#why-only-one-accepted-answer)", I'll repost your solution in case you'd like to "[Accept] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#accepted-answer-in-a-question-thread)" the answer.
If you are looking to block guest users from accessing Azure active directory then you can follow the steps in below article,
If you are looking to restrict AAD member users from accessing Azure AD then you can toggle the switch attached to the switch which is in below path,
- Login to Azure AD portal as global administrator.
- Go to user settings on the left hand side
- Look for an option "Restrict access to Azure AD administration portal" under "Administration portal"
- Toggle the switch to "Yes"
This will restrict all users from Azure AD except Administrators to access Azure AD management portal.
Let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.