Forum Discussion
Restrict access to Microsoft Entra admin center
View only access to basic directory data is impossible to restrict, so blocking access to the admin tools is your best option if that's your goal. For Groups they own, users can use the MyGroups portal and/or OWA. For app-related operations, it depends on which operations you want to allow for them, but in general there is no way to prevent them from seeing additional data if you allow them to manage apps via the portal.
I agree!
We were faced with the same issue. CA policies didnt work, as then the endusers couldnt reach the OWA portal, as they are grouped in the same app in CA. There is also the Quarantine email portal, so yeah, we could not use that one.
I have prompted to "break out" the Entra ID admin portal, or "grey out" certain options, like download users from non admin accounts, as that is a big concern as well for us.
Our solution, for right now, was to use MyGroups portal for group management, and then we give all App owners the Directory Reader role, so they can manage their app. We went from 100% of users able to download all users, to 3%, so better than nothing.