question

Anon4343-9491 avatar image
0 Votes"
Anon4343-9491 asked alfredorevilla-msft edited

Restrict Access to Azure Administration Portal Except to App Registration Owners

We enabled Restrict Access to Azure Administration Portal, but not our developers cannot view their own Enterprise applications and app registrations because they do not have an Active Directory administrator role. How can I grant the developers read access to Active Directory so that they can get to their owned applications while still blocking access to the general user base?

Thanks.

azure-ad-authenticationazure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

alfredorevilla-msft avatar image
0 Votes"
alfredorevilla-msft answered alfredorevilla-msft edited

Hello @anon4343-9491, once the option has been selected (non-admin) users won't be able to access selected portions of the portal unless they're assigned roles with microsoft.directory/servicePrincipals/* and microsoft.directory/applications/* permissions such as Directory Readers which will allow them to read all applications and manage the ones they own (Thanks to @anon4343-9491 for mentioning this one).

Also, they can manage their applications through Powershell or directly through the MS Graph API or you can disable the setting and block them for accessing additional resources.

Please let us know if you need additional assistance.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Oh! I stumbled upon Directory readers. It doesn't have 'administrator' in the name, so I figured that the role would be included in the blocking.


Users in this role can read basic directory information. This role should be used for: 1) Granting a specific set of guest users read access instead of granting it to all guest users. 2) Granting a specific set of non-admin users access to Azure Portal when "Restrict access to Azure AD portal to admins only" is set to "Yes". 3) Granting service principals access to directory where Directory.Read.All is not an option.

0 Votes 0 ·

Hello @anon4343-9491, you're right however keep in mind such users will be able to read all applications. I've updated the answer accordingly. Thanks for sharing it.

0 Votes 0 ·