Restricting a non-admin user from accessing the Entra admin centre is not a security measure; what it does do is prevent the user from accidentally misconfiguring the resources that they own if they have not had sufficient training on Microsoft Entra.
For example, if a user owns a group or application, restricting their ability to login to the Microsoft Entra portal will prevent them from modifying these objects using the portal. However, there would still be other means that enable them to modify these objects, for example, using the programmatic method I demonstrated in an earlier blog How to bypass Microsoft Graph PowerShell access restrictions.
Previously, the only method to enable this restriction was to navigate to the Entra admin portal and flip the switch from User settings blade, at Identity > Users > User Settings. In this post, I am going to show you how to view and modify these settings with Microsoft Graph PowerShell.
Prerequisites
Below are the requirements to restrict non-admin access to the Microsoft Entra admin center using PowerShell.
- You will first need the Microsoft.Graph.Authentication PowerShell module installed. For help, see How To Install the Microsoft Graph PowerShell Module.
- You will also need access to a Global Administrator account.
The APIs
The uxSetting resource represents settings related to accessing the Microsoft Entra admin center, in JSON it is represented like so:
{
"@odata.type": "#microsoft.graph.uxSetting",
"id": "String (identifier)",
"restrictNonAdminAccess": "String"
}
The value of the restrictNonAdminAccess can either be True or False. If the value is to so True, non-administrators will not be able to browse the Microsoft Entra admin center. If the value is set to False (which is the default value), they will be able to browse the Microsoft Entra admin center.
The HTTP request endpoint for the setting is /beta/admin/entra/uxSetting and supports the GET or PATCH request types, to view or modify the values.
Full details on this resource type can be seen at uxSetting resource type.
View the non-admin restriction settings
To view the uxSetting value with PowerShell, first connect to Microsoft Graph, then use the following command:
Invoke-MgGraphRequest -URI "/beta/admin/entra/uxSetting"
The command sends a GET request to Microsoft Graph and will return whether non-admin users are allowed to or restricted from accessing the Microsoft Entra admin portal. If the value is True, non-admin users will not be able to access the portal, if it is False, then they can access the portal. Your response will look like the following:
Restrict non-admin access to the Microsoft Entra admin center
To modify the setting to either True or False, use the below example to send a PATCH request to Microsoft Graph:
$body = @{
restrictNonAdminAccess = "true"
}
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/admin/entra/uxSetting" `
-Body $body `
-Method PATCH
If the command is successful, you will not receive an output to your PowerShell session. However, to verify that the command has been completed successfully, a 204 No Content response will be returned. Use the -debug parameter in your command to check if this response code has been returned.
Does this setting affect a non-admins capability from accessing their email quarantine? Other blocking methods do, would this?
I’m not sure! would be good to test though
I will also say that I have done this in my environment and the status never changes. It always returns FALSE, even though I get confirmation you speak of
So yeah it looks like you can change from True > False, but not the other way round weirdly enough. It is early days for the API!
Ok, I think:
restrictNonAdminAccess = “true”
should be:
restrictNonAdminAccess = $true
that seems to work for me.