Ensure 'Restrict access to the Azure AD administration portal' is set to 'Yes'


Restrict non-privileged users from signing into the Azure Active Directory portal.

Note: This recommendation only affects access to the Azure AD web portal. It does not prevent privileged users from using other methods such as Rest API or PowerShell to obtain information. Those channels are addressed elsewhere in this document.


The Azure AD administrative (AAD) portal contains sensitive data and permission settings, which are still enforced based on the user's role. However, an end user may inadvertently change properties or account settings that could result in increased administrative overhead. Additionally, a compromised end user account could be used by a malicious attacker as a means to gather additional information and escalate an attack.

Note: Users will still be able to sign into Azure Active directory admin center but will be unable to see directory information.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Ensure access to the Azure AD portal is restricted:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/

Click to expand Identity> Users > User settings.

Set Restrict access to Microsoft Entra ID administration portal to Yes then Save.

Default Value:

No - Non-administrators can access the Azure AD administration portal.

See Also


Item Details


References: 800-53|AC-6

Plugin: microsoft_azure

Control ID: e4d0c077b4c3fcfdb7ca06e785640188d18b7fc1e70dc5ba4bfc2a810fe8126a