Control: 5.2.2.8 Ensure admin center access is limited to administrative roles
Description
When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to application IDs of the following Microsoft administrative portals:
- Azure portal
- Exchange admin center
- Microsoft 365 admin center
- Microsoft 365 Defender portal
- Microsoft Entra admin center
- Microsoft Intune admin center
- Microsoft Purview compliance portal
- Power Platform admin center
- SharePoint admin center
- Microsoft Teams admin center
Microsoft Admin Portals should be restricted to specific pre-determined administrative roles.
Conditional Access (CA) policies are not enforced for other role types, including administrative unit-scoped or custom roles. By restricting access to built-in directory roles, users granted privileged permissions outside of these roles will be blocked from accessing admin centers.
For example, the Organization Management admin role in Exchange Online has equivalent permissions to the built-in directory role Exchange Administrator. A user assigned only the Organization Management role would not be subject to CA policies targeting the Exchange Administrator role, or any and all Directory Roles. This could also allow a user with high privileges to be excluded from access reviews and other technical or management controls.
Restricting access to Microsoft Admin Portals while impactful, covers a gap that is otherwise not bridged by Conditional Access.
Remediation
To remediate using the UI:
- Navigate to the
Microsoft Entra admin centerhttps://entra.microsoft.com. - Click expand
Protection>Conditional AccessselectPolicies. - Click
New Policy.
- Under
UsersincludeAll Users. - Under
UsersselectExcludeand checkDirectory rolesand select only administrative roles and a group of PIM eligible users. - Under
Target resourcesselectCloud appsandSelect appsthen select theMicrosoft Admin Portalsapp. - Confirm by clicking
Select. - Under
GrantselectBlock accessand clickSelect.
- Under
Enable policyset it toReport Onlyuntil the organization is ready to enable it. - Click
Create.
Warning: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.
Note: In order for PIM to function a group of users eligible for PIM roles must be excluded from the policy.
Default Value
No - Non-administrators can access the Microsoft admin portals.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v400_5_2_2_8Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v400_5_2_2_8 --shareSQL
This control uses a named query:
with users_having_admin_roles as ( select array_agg(role_template_id) as rid from azuread_directory_role where display_name = 'Global Administrator'),policy_with_block as ( select tenant_id from azuread_conditional_access_policy as p, users_having_admin_roles as a where p.built_in_controls ?& array['block'] and (p.users -> 'excludeRoles')::jsonb ?| (a.rid) and (p.users -> 'includeUsers')::jsonb ?& array['All'] group by tenant_id),tenant_list as ( select distinct on (tenant_id) tenant_id, id, display_name, _ctx from azuread_user)select t.tenant_id as resource, case when (select count(*) from policy_with_block where tenant_id = t.tenant_id) > 0 then 'ok' else 'alarm' end as status, case when (select count(*) from policy_with_block where tenant_id = t.tenant_id) > 0 then t.tenant_id || ' limited to administrative roles.' else t.tenant_id || ' not limited to administrative roles.' end as reason , t.tenant_id as tenant_idfrom tenant_list as t;