[Security: CA Policy] Restrict All Users To Entra Admin
In this blogpost we're going to talk about restricting all admin centers for all users using a Conditional Access Policy.
Using Entra Admin Center (Not Optimal)
By default you can restrict users to browse to Entra Admin Center by following these steps:
- Sign in to Microsoft Entra admin center as a Global Administrator
- Click on Identity > Users > User settings
- Set "Restrict access to Microsoft Entra admin center" to Yes
- Click Save
This option will disable access to Entra ID, but some features will still work. For example you can still see all of your devices in your tenant or add your user account to a group. From a security point of view this isn't the only configuration we want to change/create.
Using Conditional Access Policy (Best Approach)
The best way to block the Entra Admin Center is to create a CA policy and target Windows Azure Service Management API to Block access for all users. Be aware and don't lock yourself out. Always use for example a specific group that's excluded (PIM) from this policy:
When you now go to Entra Admin center/Azure portal or Intune you will get the following message:
