In order to manage Azure AD, we use Azure Active Directory option in https://portal.azure.com. By default, any user under Azure AD can access this option event they do not have a Directory role. In my demo setup, I have a user called "Emily Braun". She doesn't have any Directory role assigned.
Then I log in to Azure portal https://portal.azure.com as the user and then go to Azure Active Directory option. It didn't block me accessing it.
I can go to All users and see user account details.
I even can see the Groups memberships details.
Also, can view application assignments.
As an end user I also can see the Azure AD Connect details.
Even though it doesn't allow me to change the user settings, it still allows me to see the current settings.
I also can see the directory properties.
I agree it doesn't allow to change settings but I am not comfortable with disclosing the above info to a standard user. Microsoft allows restricting standard user access to Azure Active Directory administration portal. Let's see how we can do that.
1. Log in to Azure portal as Global Administrator
2. Go to Azure Active Directory | User Settings
3. Then click on Yes under Restrict access to Azure AD administration portal
4. To apply the settings, click on Save
5. Then I go ahead and login to the Azure portal as "Emily Braun" again and try to access the Azure Active Directory option.
6. As expected, now the standard user can't view the Azure AD Administration portal.
This marks the end of this post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.
Be aware of the following:
No lets non-administrators browse the Azure AD administration portal.
Yes Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources.
What does it not do?
It does not restrict access to Azure AD data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio.
It does not restrict access as long as a user is assigned a custom role (or any role).
Ref: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#restrict-member-users-default-permissions