5.2.2.8 Ensure admin center access is limited to administrative roles

Information

When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to application IDs of the following Microsoft administrative portals:

Azure portal

Exchange admin center

Microsoft 365 admin center

Microsoft 365 Defender portal

Microsoft Entra admin center

Microsoft Intune admin center

Microsoft Purview compliance portal

Power Platform admin center

SharePoint admin center

Microsoft Teams admin center

Microsoft Admin Portals should be restricted to specific pre-determined administrative roles.

Rationale:

By default, users can sign into the various portals but are restricted by what they can view. Blocking sign-in to Microsoft Admin Portals enhances security of sensitive data by restricting access to privileged users. This mitigates potential exposure due to administrative errors or software vulnerabilities introduced by a CSP, as well as acting as a defense in depth measure against security breaches.

Impact:

PIM functionality will be impacted unless non-privileged users are first assigned to a permanent group or role that is excluded from this policy. When attempting to checkout a role in the Entra ID PIM area they will receive the message 'You don't have access to this Your sign-in was successful but you don't have permission to access this resource.'

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

Click expand Protection > Conditional Access select Policies.

Click New Policy and then name the policy.

Select Users > Include > All Users

Select Users > Exclude > Directory roles and select only administrative roles and a group of PIM eligible users.

Select Target resources select Cloud apps > Select apps then select Microsoft Admin Portals on the right.

Confirm by clicking Select.

Select Grant > Block access and click Select.

Ensure Enable Policy is On or Report-only then click Create.

Warning: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.

Note: In order for PIM to function a group of users eligible for PIM roles must be excluded from the policy.

Default Value:

No - Non-administrators can access the Microsoft admin portals.

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: microsoft_azure

Control ID: ef7465123995ee8bc9e3dd5ed776c7d1255df6f11dc0e38cbf4fc4541abb0f93