Hi All, Using the Azure /Entra AD Premium P2 and Intune Hybrid Azure AD joined computer, how can I restrict access to the Azure Portal and M365 admin portal? The goal here is to restrict only the Hybrid Azure AD computer to allow access to the Azure portal and the M365 access, and stop all personal devices from accessing those two portals and also PowerShell access.

@EnterpriseArchitect Thank you for your post! I understand that you'd like to restrict access to the Azure Portal, M365 Admin portal, and PowerShell to only Hybrid Azure AD joined devices. To hopefully help point you in the right direction, I'll share some steps you can reference to do this below. Sign in to the Azure portal with your admin credentials. Navigate to Microsoft Entra ID > Security > Conditional Access . Click on your desired policy or create a new policy as needed. Under " Assignments ", select " Users and groups " and choose the users or groups that you want to apply the policy to. Under " Target Resources ", open the " Select apps " option and choose the following - Windows Azure Service Management API (Microsoft Azure Management) , Office 365 , and Microsoft Admin Portal applications. Under " Conditions ", select " Device platforms " and choose your required platforms (i.e. Windows, Linux, iOS). Under " Access controls ", select " Grant access ", and select the appropriate controls. For example - Require multifactor authentication, Require device to be marked as compliant, and Require Microsoft Entra hybrid joined device. For more info . Prior to enabling your CA Policy, I'd recommend using the What If tool to troubleshoot and test your new Conditional Access policy to ensure it'll work correctly. Additional Links: Common Conditional Access policy: Require a compliant device, Microsoft Entra hybrid joined device, or multifactor authentication for all users Use the What If tool to troubleshoot Conditional Access policies Microsoft cloud applications Windows Azure Service Management API (Microsoft Azure Management) Office 365 Microsoft Admin Portals I hope this helps! If you have any other questions, please let me know. Thank you for your time and patience throughout this issue. If the information helped address your question, please Accept the answer . This will help us and also improve searchability for others in the community who might be researching similar information.

How to restrict the Azure portal, M365 admin portal and PowerShell access ?

Accepted answer

JamesTran-MSFT 36,481 Reputation points Microsoft Employee

2023-11-06T21:24:17.78+00:00
@EnterpriseArchitect

Thank you for your post!

I understand that you'd like to restrict access to the Azure Portal, M365 Admin portal, and PowerShell to only Hybrid Azure AD joined devices. To hopefully help point you in the right direction, I'll share some steps you can reference to do this below.

Sign in to the Azure portal with your admin credentials.

Navigate to Microsoft Entra ID > Security > Conditional Access.

Click on your desired policy or create a new policy as needed.

Under "Assignments", select "Users and groups" and choose the users or groups that you want to apply the policy to.

Under "Target Resources", open the "Select apps" option and choose the following - Windows Azure Service Management API (Microsoft Azure Management), Office 365, and Microsoft Admin Portal applications.

Under "Conditions", select "Device platforms" and choose your required platforms (i.e. Windows, Linux, iOS).

Under "Access controls", select "Grant access", and select the appropriate controls.

For example - Require multifactor authentication, Require device to be marked as compliant, and Require Microsoft Entra hybrid joined device. For more info.

Prior to enabling your CA Policy, I'd recommend using the What If tool to troubleshoot and test your new Conditional Access policy to ensure it'll work correctly.

Additional Links:

Common Conditional Access policy: Require a compliant device, Microsoft Entra hybrid joined device, or multifactor authentication for all users

Use the What If tool to troubleshoot Conditional Access policies

Microsoft cloud applications

Windows Azure Service Management API (Microsoft Azure Management)

Office 365

Microsoft Admin Portals

I hope this helps!

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Please sign in to rate this answer.

1 person found this answer helpful.
JamesTran-MSFT 36,481 Reputation points Microsoft Employee

2023-11-14T20:32:15.78+00:00

@EnterpriseArchitect

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

EnterpriseArchitect 4,891 Reputation points

2023-11-15T00:26:03.28+00:00

Hi @JamesTran-MSFT ,
Thank you for the reply, how to modify the above to allow the access to Aure & M365 admin portal only with the Hybrid Azure AD join device, so no personal device can be allowed?

D S Niranjan Babu Vallabhaneni 10 Reputation points

2024-05-08T22:28:39.3366667+00:00

Hi @JamesTran-MSFT @Rahul Jindal [MVP] ,

Your Solution looks great, But how can we fine tune this policy to allow access to only Microsoft 365 admin center and Microsoft Intune admin center but not allowing access to other admin portals like Teams, SharePoint, Entra, Purview compliance, Microsoft 365 Defender, Azure, Exchange ?

Thanks in advance.
Sign in to comment

Share via

How to restrict the Azure portal, M365 admin portal and PowerShell access ?

0 additional answers