Question regarding Microsoft Admin Portals app in Conditional Access

IMK 551 Reputation points
2024-11-04T16:35:28.9766667+00:00

If I block access to resource "Microsoft Admin Portals" app from other users than admin users, do I also block normal user or guest user access to Windows Azure Active Directory, so that normal users or guest user can register their 2FA to satisfy requirement for all users to have 2FA to access any resource?

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
7,523 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
447 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,953 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,664 questions
{count} votes

2 answers

Sort by: Most helpful
  1. David Broggy 5,991 Reputation points MVP
    2024-11-04T17:10:03.7366667+00:00

    Hi IMK,

    I don't see that it would be an issue, but it should be an easy thing to test.

    Another approach would be to use PIM and restrict all admin roles until they enable such rules in the PIM menu.

    Best regards.

    0 comments No comments

  2. Raja Pothuraju 10,115 Reputation points Microsoft Vendor
    2024-11-06T21:26:27.28+00:00

    Hello @IMK,

    Thank you for posting your query on Microsoft Q&A.

    Blocking access to the "Microsoft Admin Portals" app for non-admin users will not prevent normal or guest users from accessing Microsoft Entra ID for purposes like 2FA registration. Regular users and guests can still access Entra ID to register for two-factor authentication (2FA), satisfying the requirement for all users to have 2FA to access any resource.

    The "Microsoft Admin Portals" app is specifically for administrative access to manage Microsoft Entra and other services. Restricting access to this app for non-admin users will only block their access to the admin portals; it won’t affect their access to other services or resources they’re authorized to use.

    You can safely block non-admin users from accessing the "Microsoft Admin Portals" app without impacting their access to Microsoft Entra for 2FA registration.

    The Microsoft Admin Portals suite includes:

    • Azure portal
    • Exchange admin center
    • Microsoft 365 admin center
    • Microsoft 365 Defender portal
    • Microsoft Entra admin center
    • Microsoft Intune admin center
    • Microsoft Purview compliance portal
    • Microsoft Teams admin center

    For more details, refer to the documentation on: Conditional Access and Microsoft Admin Portals.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.