The Microsoft Entra portal contains lots of information about your users, devices, groups and privileged roles in your directory. This information can be used by an attacker to gain a detailed insight into your environment and exploit it to gain further access.
Access to the Microsoft Entra Portal must be restricted to only those that need it and at a minimum, ensure you enforce stronger authentication mechanisms to access it. In this tutorial, I am going to show you how to restrict access to the Microsoft Entra portal and the caveats around doing so.
Prevent Users From Accessing The Microsoft Entra Portal
To perform these steps, you must have the Global Administrator role assigned.
2. Expand Identity and select Users > User Settings.
3. Set Restrict access to Microsoft Entra ID administration center to Yes.
Prevent Users From Accessing The Microsoft Entra Portal with Microsoft Graph PowerShell
Currently, Microsoft Graph does not support modifying this setting using the API. When it is supported, this post will be updated with the relevant steps. You can keep an eye on the Microsoft Graph change log here.
Why prevent access to the Microsoft Entra Admin portal?
It is not recommended that you block access to the Entra portal to increase security, as fundamentally it will not. Users will still be able to access these resources using the APIs associated with them, or simply with PowerShell.
However, blocking access will ensure that the resources users own cannot accidentally be misconfigured, which then forces users to follow other workflows that have been put in place by the business.
In some scenarios where users may need to access the portal, these can be worked around. For example, to see access reviews, users can go to myaccess.microsoft.com and for any other tasks, a custom role can be created to allow them access again.
Which Microsoft Entra Roles will allow me access to the Microsoft Entra portal?
Any Microsoft Entra role, including custom roles will enable you to access the Microsoft Entra portal, even if it has been disabled for regular users.
Can I still access PIM after restricting the Microsoft Entra portal?
Yes. To access the Privileged Identity Management portal (PIM) you will need to navigate to the following portal: https://entra.microsoft.com/#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/quickStart
Once your PIM role is activated, you will then be able to access the entirety of the Microsoft Entra portal. If your PIM role expires, or before it is activated you will not be able to access the Microsoft Entra portal.