Restrict non-admin access to the Microsoft Entra portal with PowerShell

Restricting a non-admin user from accessing the Entra admin centre is not a security measure; what it does do is prevent the user from accidentally misconfiguring the resources that they own if they have not had sufficient training on Microsoft Entra.

For example, if a user owns a group or application, restricting their ability to login to the Microsoft Entra portal will prevent them from modifying these objects using the portal. However, there would still be other means that enable them to modify these objects, for example, using the programmatic method I demonstrated in an earlier blog How to bypass Microsoft Graph PowerShell access restrictions.

Previously, the only method to enable this restriction was to navigate to the Entra admin portal and flip the switch from User settings blade, at Identity > Users > User Settings. In this post, I am going to show you how to view and modify these settings with Microsoft Graph PowerShell.

Prerequisites

Below are the requirements to restrict non-admin access to the Microsoft Entra admin center using PowerShell. 

The APIs

The uxSetting resource represents settings related to accessing the Microsoft Entra admin center, in JSON it is represented like so:

{
"@odata.type": "#microsoft.graph.uxSetting",
"id": "String (identifier)",
"restrictNonAdminAccess": "String"
}

The value of the restrictNonAdminAccess can either be True or False. If the value is to so True, non-administrators will not be able to browse the Microsoft Entra admin center. If the value is set to False (which is the default value), they will be able to browse the Microsoft Entra admin center. 

The HTTP request endpoint for the setting is /beta/admin/entra/uxSetting and supports the GET or PATCH request types, to view or modify the values.

Full details on this resource type can be seen at uxSetting resource type.

View the non-admin restriction settings

To view the uxSetting value with PowerShell, first connect to Microsoft Graph, then use the following command:

Invoke-MgGraphRequest -URI "/beta/admin/entra/uxSetting"

The command sends a GET request to Microsoft Graph and will return whether non-admin users are allowed to or restricted from accessing the Microsoft Entra admin portal. If the value is True, non-admin users will not be able to access the portal, if it is False, then they can access the portal. Your response will look like the following:

View uxSetting value with PowerShell

Restrict non-admin access to the Microsoft Entra admin center

To modify the setting to either True or False, use the below example to send a PATCH request to Microsoft Graph:

$body = @{
    restrictNonAdminAccess = "true"
}

Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/admin/entra/uxSetting" `
-Body $body `
-Method PATCH

If the command is successful, you will not receive an output to your PowerShell session. However, to verify that the command has been completed successfully, a 204 No Content response will be returned. Use the -debug parameter in your command to check if this response code has been returned.

uxSetting debugging

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 5 Comments

  1. Robert Crane

    Does this setting affect a non-admins capability from accessing their email quarantine? Other blocking methods do, would this?

  2. Robert Crane

    I will also say that I have done this in my environment and the status never changes. It always returns FALSE, even though I get confirmation you speak of

    1. Daniel Bradley

      So yeah it looks like you can change from True > False, but not the other way round weirdly enough. It is early days for the API!

  3. Robert Crane

    Ok, I think:

    restrictNonAdminAccess = “true”

    should be:

    restrictNonAdminAccess = $true

    that seems to work for me.

Leave a Reply