How to Restrict access to Microsoft Entra admin center

Why do users have access to Microsoft Entra admin center by default? You only want administrators to have access and restrict users to access Microsoft Entra admin center. It’s not relevant for standard users to have access to all kinds of information. In this article, we will look at how to restrict access to Microsoft Entra admin center.

Table of contents

Check current access to Microsoft Entra admin center

Check how it looks like if a user signs in to the Microsoft Entra admin center without restricting access by following the below steps:

  1. Sign in to Microsoft Entra admin center as a User
  2. Click on Identity > Overview
  3. In the Overview screen, the user can see the Microsoft Entra ID organization
Restrict access to Microsoft Entra admin center overview
  1. Click in the menu on Users > All users
  2. All the users are visible to the user
All users are visible
  1. Click in the menu on Groups > All groups
  2. All the groups are visible to the user
All groups are visible
  1. Click in the menu on Roles & admins > Roles & admins
  2. Verify the user’s role (in our case, it’s the role User)
  3. Click on Your Role
Roles & admins
  1. The user does not have any roles assigned
There are no assigned roles to the user

In the next step, we will look at restricting users from accessing the Microsoft Entra admin center.

Restrict access to Microsoft Entra admin center

To restrict users from accessing the Microsoft Entra admin center, follow these steps:

  1. Sign in to Microsoft Entra admin center as a Global Administrator
  2. Click on Identity > Users > User settings
  3. Go to the setting Restrict access to Microsoft Entra admin center and set it to Yes
  4. Click Save
Enable Restrict access to Microsoft Entra admin center setting

Give the setting a few minutes to apply the changes on Microsoft’s servers.

Verify no access to Microsoft Entra admin center

Check that the user access to the Microsoft Entra admin center is restricted by following the below steps:

  1. Sign in to Microsoft Entra admin center as a User
  2. The sidebar menu is not available
Microsoft Entra admin center sidebar menu is not available
  1. Go to a direct link in Microsoft Entra admin center (for example, All users)
  2. The You do not have access message appears
Microsodt Entra admin center you do not have access error code 403

Verify access to PIM (Privileged Identity Management)

You can access the PIM blade, even if you have restrictions everywhere else in the Microsoft Entra admin center. So you can always manage your privileged access.

Note: Every user can access the Privileged Identity Management (PIM) blade.

Let’s look at activating the Global Administrator role using PIM:

  1. Sign in to the PIM blade as a User
  2. Click My roles
Restrict access to Microsoft Entra admin center PIM blade
  1. Select Activate
Restrict access to Microsoft Entra admin center PIM activate
  1. Fill in a reason
  2. Click Activate
Restrict access to Microsoft Entra admin center PIM activate wizard
  1. It will process the request, activate the role, and refresh automatically once it is complete
Restrict access to Microsoft Entra admin center PIM status
  1. The completion is successful, and all the options, including the sidebar menu, are available in Microsoft Entra admin center
Restrict access to Microsoft Entra admin center PIM finish

Block user access with Conditional Access policy

Using the Restrict access to Microsoft Entra admin center switch is not a security measure.

The correct way is to create a Conditional Access policy and target Windows Azure Service Management API that blocks non-administrators access.

This will target the following:

  • Azure Resource Manager
  • Azure portal
  • Microsoft Entra admin center
  • Azure Data Lake
  • Application Insights API
  • Log Analytics API
Block Windows Azure Service Management API with Conditional Access policy

Sign in to Microsoft Entra admin center as a user. The You don’t have access to this message appears.

You don't have access to this

That’s it!

Read more: Install and configure Azure AD Connect »

Conclusion

You learned how to restrict access to Microsoft Entra admin center. The option is by default set to No. But we highly recommend setting it to Yes and restrict user access to Microsoft Entra admin center for non-administrator accounts.

The next time you manage a Microsoft Entra tenant or create a new Microsoft tenant, check the restrict access to Microsoft Entra admin center setting and ensure to turn it on.

Did you enjoy this article? You may also like Microsoft 365 disable stay signed in prompt. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 4 Comments

  1. Hi have you run into an issue where you blocked the Windows Azure Service Management API, but then users cannot sign into office 365 portal? It says they don’t have access to this app even though it should only block admin portals

    Reply

  2. I find the behavior of the option “Restrict access to Microsoft Admin center” really weird.

    You don’t see the menu. But you can login on the portal and if you scroll down you can acces All Groups and All Devices for instance. I would expect that shouldn’t be the case also.

    Reply

    1. That’s correct. Microsoft should disable that when you enable the setting “Restrict access to Microsoft Admin center”. Unfortunately, that’s not the case.

      Set up a Conditional Access policy and block it from there (as shown in the article). That’s the best method to block non-administrators access.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *