Dear all,
I've recently found out that all the users in my tenant could access Microsoft Entra admin panel, despite setting to YES the flag "Restrict access to Microsoft Entra admin center". Unprivileged users could see the list of ALL groups, ALL devices and ALL enterprise application in my tenant.
I've found out you can completely block access to admin portals via Conditional Access, so I've set up a rule as follows:
Users:
- INCLUDE All users in my tenant
- EXCLUDE All administrative roles
Target resources:
- INCLUDE Microsoft Admin Portals, Windows Azure Service Management API
Conditions: None
Access Controls: Block Access
Now, this rule has had the expected result of completely blocking unprivileged users to access Microsoft Entra. However, it also prevents users from accessing the Office 365 app installation portal. We are giving our users A5 Student & A5 Faculty licenses, which allow them to visit office.com and download the Office 365 installer. This redirects them to portal.office.com/account/?ref=Harmony#installs, but this link does not work anymore for unprivileged users.
I've tried adding Office 365, Office 365 Exchange Online, and whatever cloud app starts with Office to the exclusions in my target resources, but the result is still the same. Depending on the exclusions, my unprivileged users get either 404 File or directory not found, or the page loads but they get an error message saying that they are not authorized.
Is there a way to fix this?
Thanks