How to restrict access to Microsoft Entra administration portal for nonadministrators via Graph API

Entra Admin Center

The Microsoft Entra admin center allows you to manage whether the nonadminitrators can access the admin center.

To restrict users from accessing the Microsoft Entra admin center:

  • Sign in to the Microsoft 365 admin center as a Global Administrator
  • Go to Identity → Users → User settings
  • Set the switch Restrict access to Microsoft Entra admin center to Yes
  • Save the changes

Use this option to prevent users from misconfiguring the resources that they own.

Restrict access to Entra Admin Center programmatically

Recently, the Microsoft Graph API added support to manage the access to the Microsoft Entra admin center.

The endpoints to read/update settings who can access the Entra Admin Center supports only delegated scenarios with work/school accounts. The signed-in user must be assigned the Global Administrator or Global Reader Entra role.

No specific delegated permissions are required to call these endpoints.

To read the settings, just call the following endpoint as the Global Administrator:

GET /beta/admin/entra/uxSetting

The response contains the property restrictNonAdminAccess. The false value means that nonadministrators can access the admin center. The true value means that only global administrators can access the admin center.

To update the settings, call the following endpoint as the Global Administrator:

PATCH /beta/admin/entra/uxSetting

{
  "restrictNonAdminAccess": true
}

The request body must contain the property restrictNonAdminAccess with the desired value.

Now, if you try to access the Microsoft Entra admin center with a nonadministrator account, you will receive an error message.

Conclusion

You can use the Microsoft Graph API to restrict access to the Microsoft Entra admin center for nonadministrators. Nonadministrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources.

Be aware that this is not a security measure.

0
Buy Me a Coffee at ko-fi.com
An error has occurred. This application may no longer respond until reloaded. Reload x