Mar 09 2021 09:02 AM - edited Mar 10 2021 01:53 AM
Hi all,
Is there any way I can completely block access to the Endpoint Manager Admin Center for non admin users? While most of the information in Endpoint Manager is blocked for non admin users (Reports, All Devices, All Apps etc), currently non admin users can access individual users in Endpoint Manager via Users > All Users and can view almost all information of individual users (User Profile, Devices, Groups, Licenses, Applications etc).
Maybe someone has a quick idea on this as our works council is very unhappy with this....
***Update, Problem fixed***
Apparently I was too fast testing yesterday after enabling the user setting (Restrict access to Azure AD administration portal). Tested this again today and it works!!! Now a normal user without rights has no access to the data.
Thanks to all who supported me!!!
***********************************
best regards
Lars
Mar 09 2021 09:26 AM
Mar 09 2021 09:29 AM
Mar 09 2021 09:30 AM
Mar 09 2021 09:33 AM
Mar 10 2021 12:04 AM
Hi @LarsWe
I have not implemented this approach myself but you may want to look into Scope tags, here is a pretty good overview on how to do that: Intune scope tags and role-based access control explained.
Mar 10 2021 12:52 AM
Mar 10 2021 01:07 AM - edited Mar 10 2021 01:11 AM
Hi @LarsWe
You could try a Conditional Access policy towards Intune and only add proper roles to the Allowed list or Block everyone excluding (Intune) admins. But please be careful to not lock yourself out. Docs for Common Conditional Access policies.
Policy could be something like this:
I would recommend testing with a limited scope and you might want to add other conditions such as platforms or Locations/networks. Also enforcing MFA for Azure access would probably be a good idea in general.
Mar 10 2021 01:19 AM
Mar 10 2021 02:00 AM
Hmm, yeah, wasn't able to find specific documentation on the "Intune" Enterprise app but found something that might overlap with some of your needs, check out this docs page on Manage access to Azure management with Conditional Access. The page does not exactly list Endpoint Manager but it might be implied through some overarching management portal.