Description:
In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A user’s access consists of the type of user, their role assignments, and their ownership of individual objects. Restrict access to Azure AD administrative portal. Setting this option to Yes restricts all non-administrators from accessing any Azure AD data in the administration portal.
Rationale:
The Azure AD administrative portal has sensitive data. All non-administrators should be prohibited from accessing any Azure AD data in the administration portal to avoid exposure.
Impact:
By Restricting access from Azure AD administrative portal to the non-admin users the exposure to sensitive information in the portal is achieved and this improves the resiliency of Azure AD portal.
Default Value:
By default, Restrict access to Azure AD administration portal is set to No.
Audit:
Sign in to your Azure account
Go to Azure Active Directory
Go to Users
Go to User settings
Check the Administration Portal setting.
(In this scenario it is set to NO as default)
Remediation:
Implementation Steps:
Sign into your Azure account
Go to Azure Active Directory
Go to Users
Go to User settings
Set the Restrict Administration portal access to Yes
Backout Plan:
Sign in to your Azure account
Go to Azure Active Directory
Go to Users
Go to User settings
Change the Administration Portal setting to No (to revoke the default changes.)
Note: this setting does not restrict access to Azure AD data using PowerShell or other clients such as Visual Studio.When it is set to Yes then to grant a specific non-admin user the ability to use the Azure AD administration portal assign an administrative role such as the Directory Readers role.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign- admin-roles-azure-portal
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical- systems