How do I restrict users view to the Azure admin portal?

Question

We have an Azure environment that has AVD's, Entra, Storage accounts and various other services. Users must be able to get into an AVD, but they do not need to see any of the resources and do not need access to the admin portal. All users only have the level of access required to sign-in and to access their AVD, but if they sign in to the Azure admin portal, they are able to view most all resources. To me this is a huge issue that I would like to find a way to prevent.

We do not have a premium Entra subscription, so my understanding is that we can't create conditional restrictions. Restricting the Entra Admin center works to prevent viewing of users but does nothing to prevent viewing of other resources.

Is there a way to solve this?

Answer 1

You can restrict non Admin users from the portal as a secondary resort. But this wont give you the fine-grained control. Just for admins. See:

• Sign -in to your Azure AD Admin Center.

Select Users –> User Settings

• Move the toggle to ‘Yes’ under the "Restrict access to Microsoft Entra admin center"
• Select ‘Save’ in the top.

I will generally recommend you use least privileged roles for your users in RBAC. e.g Remove any broader roles like "Reader" at the subscription or resource group level.

Also see https://learn.microsoft.com/en-us/schooldatasync/blocking-powershell-for-edu#block-powershell-for-everyone-except-a-list-of-admins to restrict powershell access

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola