What rights can a normal user have in Microsoft Entra Admin Center? “As little as possible, as much as necessary” should be the motto, as in all other areas of IT administration. However, the default settings of the Microsoft Entra Admin Center do not adhere to this requirement. Whatever the case, after all, they basically have to work for all users and do not know the individual framework conditions of the company and organization. In this article we show to what extent the default settings of the Admin Center make life unnecessarily easy for intruders how you can optimize them with one click.
If you would like to first find out more about Microsoft Entra, you can find all the basics in our basics article What is Microsoft Entra (formerly Azure) with lots of clear screenshots. You can find further articles on attacks and protection options here:
The Admin Center is a central platform where users can efficiently manage their cloud resources and services in the Microsoft Entra cloud. The dashboard allows users to easily create, configure, monitor, and manage their Azure resources.
By default, the permissions for users in Microsoft Entra are set according to a uniform scheme. Below we list some examples of what information a normal user can access with default settings in various areas.
In the “Users” area, each user can view the list of all users by default:
All users also have read access to all public user and contact properties by default:
Groups and their properties can also be viewed by everyone:
The list of all registered apps can be viewed by all users:
In addition, all users can view information about the organization:
With the default settings, every user can invite external guests:
By default, every user can register new apps:
Restricting the Azure AD management portal for normal users can be activated via the “User Settings”:
What does the “Restrict access to Azure AD management portal” slider do?
Selection “No”: Normal access to the management portal (set by default)
Selection "Yes": Prevents non-administrators from browsing the administration portal. This prevents non-administrators who act as group or application owners from using the Admin Center to manage their own resources.
Once a global administrator sets the slider to Yes, regular users will no longer be able to access the relevant information through the management portal.
DISCLAIMER:
Using the “Restrict access to Azure AD management portal” option poses challenges in itself NONE It is simply a way to minimize damage in the event of an attack or careless use.
Access to Azure AD data via PowerShell, the Microsoft Graph API, or other clients such as Visual Studio is not restricted. As long as individual users are assigned a custom role (or any role), their access is not restricted.
If you are the Default settings left unchanged in the Entra Admin Center, all basic users have it numerous rights: You have read access to users, groups, applications, and organizations, register new applications, and invite external guests. This is usually the case not necessary makes life unnecessarily easy for uninvited intruders. You should therefore restrict these rights as a global admin, unless there is something against it in your specific use case. You can do this in the user settings using the “Restrict access to management portal".
