Skip to content

Securing Microsoft 365 Admin Portals with Conditional Access Policies

Securing Microsoft 365 Admin Portals with Conditional Access Policies

If your organization does not have a Microsoft 365 E5 license, leveraging Conditional Access policies to secure access to Microsoft 365 Admin Portals is crucial. By implementing these policies, you can restrict access to these portals to specific pre-determined administrative roles, significantly enhancing the security of your sensitive data.

Overview

When a Conditional Access policy targets the Microsoft Admin Portals cloud app, it is enforced for tokens issued to application IDs of the following Microsoft administrative portals:

  • Azure portal
  • Exchange admin center
  • Microsoft 365 admin center
  • Microsoft 365 Defender portal
  • Microsoft Entra admin center
  • Microsoft Intune admin center
  • Microsoft Purview compliance portal
  • Power Platform admin center
  • SharePoint admin center
  • Microsoft Teams admin center

By default, users can sign into various portals but are restricted by what they can view. Blocking sign-in to Microsoft Admin Portals for non-privileged users enhances security by restricting access to sensitive data. This measure mitigates potential exposure due to administrative errors, software vulnerabilities, and acts as a defense-in-depth measure against security breaches.

Impact

Implementing this policy will impact Privileged Identity Management (PIM) functionality unless non-privileged users are assigned to a permanent group or role excluded from this policy. Without proper configuration, users may encounter access issues when trying to check out a role in the Entra ID PIM area, receiving the message, “You don’t have access to this resource.”

Auditing Conditional Access Policies

To audit Conditional Access policies using the UI:

  1. Navigate to the Microsoft Entra admin center: https://entra.microsoft.com.
  2. Expand Protection > Conditional Access and select Policies.
  3. Inspect and identify existing policies for the following parameters:
    • Users set to Include: All Users
    • Users > Exclude: Verify Guest or external users and Users and groups contain only a group of PIM eligible users.
    • Users > Exclude: Verify Directory Roles only contains administrative roles.
    • Target resources Cloud apps Includes Select apps: Microsoft Admin Portals
    • Grant: Block Access
    • Enable policy: On
  4. If any of these conditions are not met, the audit fails.

Directory Roles and Exclusions

In Directory roles > Exclude, at a minimum, the role Global Administrator should be selected to avoid I.T. being locked out. Organizations should pre-determine roles in the exclusion list, balancing operation while exercising the principle of least privilege. As the organization grows, the number of roles utilized will increase.

An example starting list of Administrator roles can be found below:

  • Application administrator
  • Authentication administrator
  • Billing administrator
  • Cloud application administrator
  • Conditional Access administrator
  • Exchange administrator
  • Global administrator
  • Global reader
  • Helpdesk administrator
  • Password administrator
  • Privileged authentication administrator
  • Privileged role administrator
  • Security administrator
  • SharePoint administrator
  • User administrator

Remediation

To create and apply a new Conditional Access policy:

  1. Navigate to the Microsoft Entra admin center: https://entra.microsoft.com.
  2. Expand Protection > Conditional Access and select Policies.
  3. Click New Policy and name the policy.
  4. Select Users > Include > All Users.
  5. Select Users > Exclude > Directory roles and select only administrative roles and a group of PIM eligible users.
  6. Select Target resources > Cloud apps > Select apps and then select Microsoft Admin Portals on the right.
  7. Confirm by clicking Select.
  8. Select Grant > Block access and click Select.
  9. Ensure Enable Policy is On or Report-only, then click Create.

Warning: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option when testing any Conditional Access policy for the first time.

Conclusion

Implementing Conditional Access policies to lock down access to Microsoft 365 Admin Portals is a critical security measure for organizations without a Microsoft 365 E5 license. By restricting access to specific pre-determined administrative roles, you can significantly enhance the security of your sensitive data and mitigate potential risks. Always ensure proper auditing and remediation steps are followed to maintain the effectiveness and security of these policies.

Sharing is caring!