Restrict access to service management APIs and admin portals

Posted on 2024-12-17 in How-To • 737 words • 4 minute read

Tags: EntraID, Powershell, Azure

Introduction

All members of a Microsoft Entra ID tenant are granted a set of default permissions. These permissions are determined by three key factors: the type of user, the roles assigned, and the objects owned. By default, Guest users have a more restricted set of permissions, while Members enjoy broader permissions. However, this default setup may not align with certain security requirements. To address this, default user permissions can be modified in the User Settings section of Microsoft Entra ID or in Users | User Settings within the Microsoft Entra admin center.

Depending on your organization’s needs, some of these permissions—such as the ability to read a significant portion of organizational data—may require adjustment. This is where the User Settings section can help, especially if you are using the Free tier and lack access to P1 or P2 features like Conditional Access policies. Detailed guidance on these options can be found in What are the default user permissions in Microsoft Entra ID?.

One specific option, Restrict access to Microsoft Entra administration portal, requires additional consideration. This setting is not a comprehensive security measure and should not be treated as such. Even after enabling this restriction, data access remains possible via other Azure Service Management APIs. Therefore, depending on your objectives, additional actions may be necessary. For organizations with access to Entra ID P1 or P2 tiers, Conditional Access policies provide a robust solution for managing access and enhancing security.

Create a Conditional Access policy from the portal

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access > Policies.
3. Select New policy.
4. Give your policy a name (i.e. Restrict Access to Windows Azure Service Management API).
5. Under Assignments, select Users or workload identities.
6. Under Include, select All users.
7. Under Exclude, select Directory roles and select the roles you want to allow access to the management APIs. At minimum I would suggest Conditional Access Administrator and Global Administrator.
8. Under Target resources > Resources (formerly cloud apps) > Include > Select resources, choose Windows Azure Service Management API, Microsoft Admin Portals, and select Select.
9. Under Access controls > Block and select Select.
10. Confirm your settings and set Enable policy to Report-only.
11. Select Create to create your policy.

Create a Conditional Access policy using PowerShell

# Import the Microsoft Graph Module
Import-Module Microsoft.Graph

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess", "Directory.Read.All","Policy.Read.All"

# Define the Conditional Access Policy and excluded Roles
$policyName = "Restrict Access to Service Management API and Admin Portals"
$excludedRoles = @( "Conditional Access Administrator", "Global Administrator" ) 

# Retrieve role IDs to exclude
$roleIDs = @()
foreach ($role in $excludedRoles) {
    $roleObj = Get-MgDirectoryRoleTemplate | Where-Object { $_.DisplayName -eq $role }
    if ($roleObj) { $roleIDs += $roleObj.Id }
    else { Write-Warning "Role $role not found." }
}

# Build the Conditional Access Policy Body
$policyBody = @{
    displayName = $policyName
    state       = "enabledForReportingButNotEnforced"
    conditions  = @{
        users = @{
            includeUsers = @("All")
            excludeRoles = $roleIDs
        }
        applications = @{
            includeApplications = @(
                "797f4846-ba00-4fd7-ba43-dac1f8f63013", # App ID for Windows Azure Service Management API
                "MicrosoftAdminPortals"                 # App ID for Microsoft Admin Portals
                )  
        }
    }
    grantControls = @{
        operator = "OR"
        builtInControls = @("block")
    }
    sessionControls = $null
} | ConvertTo-Json -Depth 10

# Create the Conditional Access Policy
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" -Body $policyBody -ContentType "application/json"

Key Considerations for Configuring Conditional Access Policies

When going through the process of configuring Conditional Access policies, keep the following key considerations in mind:

1. Disable Security Defaults
   To use Conditional Access policies, you must disable Security defaults.
   Learn more about disabling Security defaults.

2. Exclude Critical Roles
   Ensure you exclude, at a minimum, the Conditional Access Administrator and Global Administrator roles. This allows you to roll back any unintended impact.

3. Break-Glass Accounts
   Consider any break-glass account you may have in your tenant that does not have the Conditional Access Administrator or Global Administrator roles assigned.

4. Use Report-Only Mode
   Create Conditional Access policies in Report-only mode initially. This lets you evaluate their impact before enforcement.

5. Impact of Blocking Windows Azure Service Management API
   Assess the potential impact of blocking access to the Windows Azure Service Management API.
   Learn more.

6. Impact of Blocking Microsoft Admin Portals
   Understand the implications of blocking access to Microsoft Admin Portals.
   Learn more.

7. Service Principal Behavior
   Remember that calls made by service principals will not be blocked by Conditional Access policies scoped to users.

Enjoy the process!