Ensure that "Restrict access to Microsoft Entra ID administration portal" policy is set to "Yes" within your Microsoft Entra ID (AD) settings to deny access to the Microsoft Entra ID administration portal for all non-administrator users. This setting is limited to administration portal only and enabling it does not restrict access using PowerShell or another client such as Microsoft Visual Studio. By default, "Restrict access to Microsoft Entra ID administration portal" is set to "No".
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Security The Microsoft Entra ID administrative portal provides access to sensitive or private information, therefore all non-admin users should be prohibited from accessing any Microsoft Entra ID resource or information available on the administration portal in order to avoid data exposure.
Audit
To determine if non-admin users have access to Microsoft Entra ID administration portal, perform the following actions:
Note: Fetching "Restrict access to Microsoft Entra ID administration portal" configuration setting status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Restrict access to Microsoft Entra ID administration portal" to "Yes", only Microsoft Entra ID administrators can get further access to administration portal, protecting Microsoft Entra ID data from unauthorized users. To enable the required setting, perform the following actions:
Note: Restricting non-administrator users' ability to access Microsoft Entra ID administration portal using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Microsoft Entra built-in roles
- CIS Microsoft Azure Foundations