Share via

Restrict access to Microsoft Entra administration portal

Oscar 177 Reputation points
2024-04-10T08:32:03.1066667+00:00

Hello,

If follow this doc: https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions

And enable "Restrict access to Microsoft Entra administration portal" under Azure for User settings.

Then:

  1. Via portal.azure.com -> end user cannot access users/groups/devices
  2. Via entra.microsoft.com -> end user CAN access groups/devices

Why that? Some bug?

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments
Accepted answer
  1. Domooney-MSFT 2,606 Reputation points Microsoft Employee Moderator
    2024-04-10T12:46:53.68+00:00

    Hi Oscar,

    Thank you for posting your query on Microsoft Q&A!

    I can reproduce the same behaviour in my own test tenant. I will report this internally to request a fix but it may take some time. This toggle is not designed to be a security measure but more to prevent users from mis-configuring their profile or apps etc..

    I would recommend creating a Conditional Access policy which blocks non-admin users from accessing the Windows Azure Service Management API, which would also prevent access with PowerShell etc..

    We have some more details on this here - https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions

    Let me know if you have any further queries, I would be happy to help.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Kind Regards,

    Donal

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.