Detections
Analytics

5.2.2.8 (L2) Ensure admin center access is limited to administrative roles

Information

When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to application IDs of the following Microsoft administrative portals:

 - Azure portal
 - Exchange admin center
 - Microsoft 365 admin center
 - Microsoft 365 Defender portal
 - Microsoft Entra admin center
 - Microsoft Intune admin center
 - Microsoft Purview compliance portal
 - Power Platform admin center
 - SharePoint admin center
 - Microsoft Teams admin center

Microsoft Admin Portals should be restricted to specific pre-determined administrative roles.

Conditional Access (CA) policies are not enforced for other role types, including administrative unit-scoped or custom roles. By restricting access to built-in directory roles, users granted privileged permissions outside of these roles will be blocked from accessing admin centers.

For example, the Organization Management admin role in Exchange Online has equivalent permissions to the built-in directory role Exchange Administrator A user assigned only the Organization Management role would not be subject to CA policies targeting the Exchange Administrator role, or any and all Directory Roles. This could also allow a user with high privileges to be excluded from access reviews and other technical or management controls.

Restricting access to Microsoft Admin Portals while impactful, covers a gap that is otherwise not bridged by Conditional Access.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

 - Navigate to the Microsoft Entra admin center

https://entra.microsoft.com

.
 - Click expand Protection > Conditional Access select Policies
 - Click New Policy
 - Under Users include All Users
 - Under Users select Exclude and check Directory roles and select only administrative roles and a group of PIM eligible users.
 - Under Target resources select Cloud apps and Select apps then select the Microsoft Admin Portals app.
 - Confirm by clicking Select
 - Under Grant select Block access and click Select

 - Under Enable policy set it to Report Only until the organization is ready to enable it.
 - Click Create

Warning: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.

Note: In order for PIM to function a group of users eligible for PIM roles must be excluded from the policy.

Impact:

PIM functionality will be impacted unless non-privileged users are first assigned to a permanent group or role that is excluded from this policy. When attempting to checkout a role in the Entra ID PIM area they will receive the message "You don't have access to this Your sign-in was successful but you don't have permission to access this resource."

 - Users included in the policy will be unable to manually installs applications when clicking on Install Microsoft 365 apps
 - Users included in the policy will be unable to access the Quarantine in the Defender admin center at

https://security.microsoft.com/quarantine

See Also

https://workbench.cisecurity.org/benchmarks/17682

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: microsoft_azure

Control ID: 514454ddec56fe8bf4ba9ceeb1d74b6dbdee097f61f5a80312495fd22f5aa357