Forum Discussion
Restrict access to Microsoft Entra admin center
Hi,
I know that setting this to Yes isn't considered a Security measure by Microsoft, but I really think that they need to rethink this and give a better warning
Entra>Users>User Settings>Restrict access to Microsoft Entra admin center
If this is left to, No, which is the default, then any user (Admin or Standard User) is able to access Entra, and for certain things this may be required, but it leaves a huge door open as well for the egress of data.
For example, a Standard user can access Entra, select Users and or Devices from the left hand side and export a .csv file with all devices listed and or all Users in the estate listed with a lot of other information in this as well that is included in the exported file.
Is there another way to allow users access to the portal to manage Groups or Apps that they are an Owner on (which is one of the reasons that I see for allowing any user to access the portal) but also to dramatically reduce the risk to the business for users also being able to see a lot of other information in Entra that we would not wish users to be able to see or indeed interact with, such as downloading a file of all Devices and Users in the estate.
View only access to basic directory data is impossible to restrict, so blocking access to the admin tools is your best option if that's your goal. For Groups they own, users can use the MyGroups portal and/or OWA. For app-related operations, it depends on which operations you want to allow for them, but in general there is no way to prevent them from seeing additional data if you allow them to manage apps via the portal.
2 Replies
I agree!
We were faced with the same issue. CA policies didnt work, as then the endusers couldnt reach the OWA portal, as they are grouped in the same app in CA. There is also the Quarantine email portal, so yeah, we could not use that one.
I have prompted to "break out" the Entra ID admin portal, or "grey out" certain options, like download users from non admin accounts, as that is a big concern as well for us.
Our solution, for right now, was to use MyGroups portal for group management, and then we give all App owners the Directory Reader role, so they can manage their app. We went from 100% of users able to download all users, to 3%, so better than nothing.View only access to basic directory data is impossible to restrict, so blocking access to the admin tools is your best option if that's your goal. For Groups they own, users can use the MyGroups portal and/or OWA. For app-related operations, it depends on which operations you want to allow for them, but in general there is no way to prevent them from seeing additional data if you allow them to manage apps via the portal.
