Forum Discussion
Block access to Endpoint Manager Admin Center for non admin users
Hi LarsWe
I have not implemented this approach myself but you may want to look into Scope tags, here is a pretty good overview on how to do that: https://tech.nicolonsky.ch/intune-scope-tags-rbac-explained/.
nice consideration, but unfortunately it does not help in my case. I created an additional Intune role as a test, since roles can't be created without permissions I gave the role read permissions for TermsAndConditions. After creating a scope and assigning it to the group my test user is in, the permission of the user has changed from "no permission" to "TermsAndConditions - read"... Unfortunately this process did not change the possibility that the user can still view all information via "Users > All Users...".
It is also strange that in other areas of the portal immediately "No access" is displayed. Is this a BUG in the portal?
Hi LarsWe
You could try a Conditional Access policy towards Intune and only add proper roles to the Allowed list or Block everyone excluding (Intune) admins. But please be careful to not lock yourself out. Docs for https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common.
Policy could be something like this:
- Users and groups: Include All users, Exclude Admins
- Cloud apps: Select apps "Microsoft Intune"
- Grant: Block access
I would recommend testing with a limited scope and you might want to add other conditions such as platforms or Locations/networks. Also enforcing MFA for Azure access would probably be a good idea in general.
- Hi Alo Press,
I have already tested this. Unfortunately without success, but I am also not sure if the CloudApp "Intune" really means the Endpoint Manager Admin Center...?Hmm, yeah, wasn't able to find specific documentation on the "Intune" Enterprise app but found something that might overlap with some of your needs, check out this docs page on https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management. The page does not exactly list Endpoint Manager but it might be implied through some overarching management portal.