in my organization we noticed that when a user browses the security dashboard (security.microsoft.com), they can easily access critical information about compliance using the "more resources" tab, even if they have no directory role at all:
For example, they can access the Purview portal and see information they're not supposed to see about organization's compliance:
Can the "more resources" tab be hidden to the user?
Alternatively, can the access to the Purview dashboard be denied to non-admin users?
I created a Conditional Access policy and selected all of the apps that seem to be related to the Compliance Center but it doesn't work:
The policy is not applied because the application is "not matched":
The only way I found to make it work is by creating an Access Policy in Microsoft Defender for Cloud Apps but unfortunately the solution is not feasible because it is not granularly configurable and the directory is huge and complex. We actually need a standard way to do that.