Block access to Endpoint Manager Admin Center for non admin users

Copper Contributor

Hi all,
Is there any way I can completely block access to the Endpoint Manager Admin Center for non admin users? While most of the information in Endpoint Manager is blocked for non admin users (Reports, All Devices, All Apps etc), currently non admin users can access individual users in Endpoint Manager via Users > All Users and can view almost all information of individual users (User Profile, Devices, Groups, Licenses, Applications etc).

 

Maybe someone has a quick idea on this as our works council is very unhappy with this....

 

***Update, Problem fixed***

Apparently I was too fast testing yesterday after enabling the user setting (Restrict access to Azure AD administration portal). Tested this again today and it works!!! Now a normal user without rights has no access to the data.

 

Thanks to all who supported me!!!

***********************************

best regards
Lars

 

9 Replies
You can block access to AAD, cfr Azure AD blade -> User Settings -> Restrict access to Azure AD administration portal.

I think this should also block access to users/groups (but I have not tested it)
Hi, Thijs Lecomte, thy for your fast reply, but this only blocks access to Azure AD Admin Portal not the access to Endpoint Manager. I´ve tested this minutes before....
Darn, I hoped this would be a solution.
Then there isn't any way to block this AFAIK...
Others might have solutions though...
Anyway thanks for your help, hopefully someone else has an idea..

Hi @LarsWe 

 

I have not implemented this approach myself but you may want to look into Scope tags, here is a pretty good overview on how to do that: Intune scope tags and role-based access control explained.

Hi Alo Press,
nice consideration, but unfortunately it does not help in my case. I created an additional Intune role as a test, since roles can't be created without permissions I gave the role read permissions for TermsAndConditions. After creating a scope and assigning it to the group my test user is in, the permission of the user has changed from "no permission" to "TermsAndConditions - read"... Unfortunately this process did not change the possibility that the user can still view all information via "Users > All Users...".

It is also strange that in other areas of the portal immediately "No access" is displayed. Is this a BUG in the portal?

Hi @LarsWe 

 

You could try a Conditional Access policy towards Intune and only add proper roles to the Allowed list or Block everyone excluding (Intune) admins. But please be careful to not lock yourself out. Docs for Common Conditional Access policies.

 

Policy could be something like this:

  • Users and groups: Include All users, Exclude Admins
  • Cloud apps: Select apps "Microsoft Intune"
  • Grant: Block access

I would recommend testing with a limited scope and you might want to add other conditions such as platforms or Locations/networks. Also enforcing MFA for Azure access would probably be a good idea in general. 

Hi Alo Press,
I have already tested this. Unfortunately without success, but I am also not sure if the CloudApp "Intune" really means the Endpoint Manager Admin Center...?

Hmm, yeah, wasn't able to find specific documentation on the "Intune" Enterprise app but found something that might overlap with some of your needs, check out this docs page on Manage access to Azure management with Conditional Access. The page does not exactly list Endpoint Manager but it might be implied through some overarching management portal.