Information
Restrict non-privileged users from signing into the Microsoft Entra admin center.
Note: This recommendation only affects access to the web portal. It does not prevent privileged users from using other methods such as Rest API or PowerShell to obtain information. Those channels are addressed elsewhere in this document.
Rationale:
The Microsoft Entra admin center contains sensitive data and permission settings, which are still enforced based on the user's role. However, an end user may inadvertently change properties or account settings that could result in increased administrative overhead. Additionally, a compromised end user account could be used by a malicious attacker as a means to gather additional information and escalate an attack.
Note: Users will still be able to sign into Microsoft Entra admin center but will be unable to see directory information.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To remediate using the UI:
Navigate to Microsoft Entra admin center https://entra.microsoft.com/
Click to expand Identity> Users > User settings.
Set Restrict access to Microsoft Entra admin center to Yes then Save.
Default Value:
No - Non-administrators can access the Microsoft Entra admin center.