Description:
In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A user’s access consists of the type of user, their role assignments, and their ownership of individual objects. Restrict access to the Azure AD administrative portal. Setting this option to Yes restricts all non-administrators from accessing any Azure AD data in the administration portal.
Rationale:
The Azure AD administrative portal has sensitive data. All non-administrators should be prohibited from accessing any Azure AD data in the administration portal to avoid exposure.
Impact:
By restricting access from the Azure AD administrative portal to the non-admin users, the exposure to sensitive information in the portal is reduced, and this improves the resiliency of the Azure AD portal.
Default Value:
By default, Restrict access to Azure AD administration portal is set to No.
Pre-requisites:
Microsoft Entra ID (Azure AD) tenant access
One of the roles is Global Administrator/Privileged Role Administrator
Test Plan:
Sign in to the Azure portal at https://portal.azure.com and navigate to Microsoft Entra ID (Azure AD).
Under Manage, select User settings.
Locate, restrict access to the Microsoft Entra admin center, and verify that the setting is set to Yes.
4. If this value is set to NO, follow the remediation below to fix it.
Implementation Steps:
Sign in to the Azure portal at https://portal.azure.com and navigate to Microsoft Entra ID (Azure AD).
Under Manage, select User settings from the left pane.
In the Administration center, locate Restrict access to the Microsoft Entra admin center and set the value to Yes.
Click Save to apply the configuration.
Backout Plan:
Sign in to the Azure portal and navigate to Microsoft Entra ID (Azure AD).
Under Manage, select User settings.
In the Administration center, locate Restrict access to the Microsoft Entra admin center and set the value to No.
Click Save to apply the changes.