We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Azure admin portal

sara2000
sara2000 asked
on
Medium Priority
38 Views
Last Modified: 2020-06-11
I am new to the Azure and I have a question. I hope experts out there will shed light on it. Our client has moved to office 365 recently only for Windows 10 license, as a result, they installed Azure AD connect. I noticed that standard domain users can access to Azure portal with their ad account and see all the users, groups, devices, etc. I was curious and asked the sysadmin about that.
He replied to me saying that users can not make any change.
Is it something normal to leave like that? I think we can restrict the user access, but I am not sure why the client does not want to do that. If there is a document that says it is bad then I would like to point to that to the sysadmin.
Comment
Watch Question

David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
even with active directory any authenticated user can query AD and get a list of users/computers this is needed for normal operation.
Chinmay PatelChief Technology Ninja
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
There is no document that says you should keep your money guarded but still it is a common sense, and Azure provides the ability to restricted access to the portal. I have not seen an organization (prior to your comment) which allows access to Azure Portal for normal users. 
Jeff GloverSr. Systems Administrator
CERTIFIED EXPERT

Commented:
As David said, by default anyone can view Azure AD. This is the same as AD internally. If you make someone a local admin on a Windows 10 machine (Not a practice I recommend but seems to be way too prevalent) they can install RSAT and see AD but not change anything. That being said, as Chinmay said, not a good practice. You can restrict this easily.
Logon to the Azure AD portal as a Global Admin. Select Azure Active Directory and then User Settings. In user settings, turn on the Restrict Access to Azure AD administration Portal setting and then Save. Now normal users will get a message of Access denied when they try to open Azure Active Directory in the Portal. (they can still logon but not see any settings). Users with Administrative roles will still be allowed to logon

Author

Commented:
I am not sure whether I have to point out the sysadmin to restrict access unless there is a risk involves allowing. I am not an Azure expert. At the end of the day, He is in-charge. He might say MYOB !!
Jeff GloverSr. Systems Administrator
CERTIFIED EXPERT

Commented:
OK, thought you were a Global Admin. Then take my instruction as free training. And the risk really depends on who you have in your company and if you trust them.
IT Architect
CERTIFIED EXPERT
Distinguished Expert 2017
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
The sysadmin restricts access from any IP. It only allows users to access from the cooperate network.
I still do not understand why normal users have to have access? I can not convince him not to allow unless I can prove him the risk !!.
Jeff GloverSr. Systems Administrator
CERTIFIED EXPERT

Commented:
They do not have to have access to the Web portal for Azure to work but that is the default for Azure. You would have to talk to Microsoft Directly to get the answer you are looking for. 

Author

Commented:
Thank you.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.