This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 90%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi,
I would like to restrict one of our Security Administrators’ access to all Microsoft admin portals except Microsoft Defender (security.microsoft.com). I attempted to use Conditional Access, but it blocked all admin access, including the Defender portal.
I am looking for a solution that allows access only to the Defender portal while preventing access to other Microsoft admin portals.
Additional Microsoft Entra services and features related to identity, access, and network security
Have you considered granting the user Defender-specific role via the built-in RBAC controls, instead of the "global" role assignment? Check this article for more details: https://learn.microsoft.com/en-us/defender-xdr/manage-rbac
The current admin has "Security Admin" assigned to his user ID. With this prevvileage he is able to access the Intune and Purview Portals. Our requirement is to restrict all the portal access except for the Defender Portal.
To restrict a Security Administrator's access to all Microsoft admin portals except for Microsoft Defender, you can utilize Conditional Access policies effectively. Here’s a general approach:
This setup should allow the Security Administrator to access Microsoft Defender while restricting access to other Microsoft admin portals. Ensure that the policy is tested in report-only mode before fully enabling it to avoid unintended lockouts.
References: