Ensure 'Microsoft Azure Management' is limited to administrative roles


The Microsoft Azure Management application governs various Azure services and can be secured through the implementation of a Conditional Access policy. This policy can restrict specific user accounts from accessing the related portals and applications.

When Conditional Access policy is targeted to the Microsoft Azure Management application, within the Conditional Access policy app picker the policy will be enforced for tokens issued to application IDs of a set of services closely bound to the portal.

Azure Resource Manager

Azure portal, which also covers the Microsoft Entra admin center

Azure Data Lake

Application Insights API

Log Analytics API

Microsoft Azure Management should be restricted to specific pre-determined administrative roles.

NOTE: Blocking Microsoft Azure Management will prevent non-privileged users from signing into most portals other than Microsoft 365 Defender and Microsoft Purview.


Blocking sign-in to Azure Management applications and portals enhances security of sensitive data by restricting access to privileged users. This mitigates potential exposure due to administrative errors or software vulnerabilities, as well as acting as a defense in depth measure against security breaches.


PIM functionality will be impacted unless non-privileged users are first assigned to a permanent group or role that is excluded from this policy. When attempting to checkout a role in the Entra ID PIM area they will receive the message 'You don't have access to this Your sign-in was successful but you don't have permission to access this resource.'

Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted:

Classic deployment model APIs

Azure PowerShell

Azure CLI

Azure DevOps

Azure Data Factory portal

Azure Event Hubs

Azure Service Bus

Azure SQL Database

SQL Managed Instance

Azure Synapse

Visual Studio subscriptions administrator portal

Microsoft IoT Central

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To enable Microsoft Azure Management restrictions:

Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

Click expand Protection > Conditional Access select Policies.

Click New Policy and then name the policy.

Select Users > Include > All Users

Select Users > Exclude > Directory roles and select only administrative roles. See audit section for more information.

Select Cloud apps or actions > Select apps > Select then click the box next to Microsoft Azure Management.

Click Select.

Select Grant > Block access and click Select.

Ensure Enable Policy is On then click Create.

WARNING: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.

Default Value:

No - Non-administrators can access the Azure AD administration portal.

See Also


Item Details


References: 800-53|AC-6

Plugin: microsoft_azure

Control ID: 66ee016a669463ed48d9620ea20a61443756a3c99a1a44916557d4a4340dcf1f