Microsoft Entra Admin Center: How to set it up safely

What rights can a normal user have in Microsoft Entra Admin Center? “As little as possible, as much as necessary” should be the motto, as in all other areas of IT administration. However, the default settings of the Microsoft Entra Admin Center do not adhere to this requirement. Whatever the case, after all, they basically have to work for all users and do not know the individual framework conditions of the company and organization. In this article we show to what extent the default settings of the Admin Center make life unnecessarily easy for intruders how you can optimize them with one click.

If you would like to first find out more about Microsoft Entra, you can find all the basics in our basics article What is Microsoft Entra (formerly Azure) with lots of clear screenshots. You can find further articles on attacks and protection options here:

Table of Contents

What is the Microsoft Entra Admin Center?

The  Admin Center is a central platform where users can efficiently manage their cloud resources and services in the Microsoft Entra cloud. The dashboard allows users to easily create, configure, monitor, and manage their Azure resources.

The Microsoft Entra Admin Center – this allows users to manage resources and services in the Entra cloud.
The Microsoft Entra Admin Center – this allows users to manage resources and services in the Entra cloud.
You want to see the consequences of a successful hacker attack
Spare your IT system?
Test your IT now with a professional penetration test!
For the penetration test

Security risk Default settings: Users have these permissions by default in the Entra Admin Center

By default, the permissions for users in Microsoft Entra are set according to a uniform scheme. Below we list some examples of what information a normal user can access with default settings in various areas.

Read access: users, groups, applications and organization

In the “Users” area, each user can view the list of all users by default:

User list in the Entra Admin Center – by default, normal users can view the list of all users.
User list in the Entra Admin Center – by default, normal users can view the list of all users.

All users also have read access to all public user and contact properties by default:

Public properties of users and contacts are visible to all users in the Entra Admin Center by default.
Public properties of users and contacts are visible to all users in the Entra Admin Center by default.

Groups and their properties can also be viewed by everyone:

By default, users have read access to groups and their properties in the Entra Admin Center.
By default, users have read access to groups and their properties in the Entra Admin Center.

The list of all registered apps can be viewed by all users:

The default settings allow all users to view all registered apps in the Entra Admin Center.
The default settings allow all users to view all registered apps in the Entra Admin Center.

In addition, all users can view information about the organization:

By default, all users can view information about the organization in the Entra Admin Center.
By default, all users can view information about the organization in the Entra Admin Center.

Invite guests

With the default settings, every user can invite external guests:

Invite external users – every user in the Entra Admin Center can do this in the standard settings.
Invite external users – every user in the Entra Admin Center can do this in the standard settings.

Register new applications in the Microsoft Entra Admin Center

By default, every user can register new apps:

Register new applications – possible by default for every user in Entra.
Register new applications – possible by default for every user in Entra.

Solution: Restriction for the Entra administration portal

Restricting the Azure AD management portal for normal users can be activated via the “User Settings”:

“Restrict access to Azure AD/Entra management portal” – with this control in the user settings you limit the rights of normal users in the Entra Admin Center
“Restrict access to Azure AD/Entra management portal” – with this control in the user settings you limit the rights of normal users in the Entra Admin Center

What does the “Restrict access to Azure AD management portal” slider do?

Selection “No”: Normal access to the management portal (set by default)

Selection "Yes": Prevents non-administrators from browsing the administration portal. This prevents non-administrators who act as group or application owners from using the Admin Center to manage their own resources.

Once a global administrator sets the slider to Yes, regular users will no longer be able to access the relevant information through the management portal.

Error message when access restrictions are turned on for normal users when they try to perform certain actions.
Error message when access restrictions are turned on for normal users when they try to perform certain actions.

DISCLAIMER:

Using the “Restrict access to Azure AD management portal” option poses challenges in itself NONE It is simply a way to minimize damage in the event of an attack or careless use.

Access to Azure AD data via PowerShell, the Microsoft Graph API, or other clients such as Visual Studio is not restricted. As long as individual users are assigned a custom role (or any role), their access is not restricted.

Conclusion: One click for more control

If you are the Default settings left unchanged in the Entra Admin Center, all basic users have it numerous rights: You have read access to users, groups, applications, and organizations, register new applications, and invite external guests. This is usually the case not necessary makes life unnecessarily easy for uninvited intruders. You should therefore restrict these rights as a global admin, unless there is something against it in your specific use case. You can do this in the user settings using the “Restrict access to management portal".

Increase the security of your IT system now!
You will receive detailed advice from us!
Contact us now
Follow for more!
Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!


By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!
OTHER CONTRIBUTIONS

Table of Contents

Do you have any questions or additions? bring it on!
Write a comment and we will reply as soon as possible!

Your email address will not be published. Required fields are marked with *.

PSN_KU_Cover
NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices


By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!