Link to home
Start Free TrialLog in
Avatar of sara2000
sara2000

asked on

Azure admin portal

I am new to the Azure and I have a question. I hope experts out there will shed light on it. Our client has moved to office 365 recently only for Windows 10 license, as a result, they installed Azure AD connect. I noticed that standard domain users can access to Azure portal with their ad account and see all the users, groups, devices, etc. I was curious and asked the sysadmin about that.
He replied to me saying that users can not make any change.
Is it something normal to leave like that? I think we can restrict the user access, but I am not sure why the client does not want to do that. If there is a document that says it is bad then I would like to point to that to the sysadmin.
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

even with active directory any authenticated user can query AD and get a list of users/computers this is needed for normal operation.
There is no document that says you should keep your money guarded but still it is a common sense, and Azure provides the ability to restricted access to the portal. I have not seen an organization (prior to your comment) which allows access to Azure Portal for normal users. 
As David said, by default anyone can view Azure AD. This is the same as AD internally. If you make someone a local admin on a Windows 10 machine (Not a practice I recommend but seems to be way too prevalent) they can install RSAT and see AD but not change anything. That being said, as Chinmay said, not a good practice. You can restrict this easily.
Logon to the Azure AD portal as a Global Admin. Select Azure Active Directory and then User Settings. In user settings, turn on the Restrict Access to Azure AD administration Portal setting and then Save. Now normal users will get a message of Access denied when they try to open Azure Active Directory in the Portal. (they can still logon but not see any settings). Users with Administrative roles will still be allowed to logon
Avatar of sara2000
sara2000

ASKER

I am not sure whether I have to point out the sysadmin to restrict access unless there is a risk involves allowing. I am not an Azure expert. At the end of the day, He is in-charge. He might say MYOB !!
OK, thought you were a Global Admin. Then take my instruction as free training. And the risk really depends on who you have in your company and if you trust them.
ASKER CERTIFIED SOLUTION
Avatar of Amit
Amit
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The sysadmin restricts access from any IP. It only allows users to access from the cooperate network.
I still do not understand why normal users have to have access? I can not convince him not to allow unless I can prove him the risk !!.
They do not have to have access to the Web portal for Azure to work but that is the default for Azure. You would have to talk to Microsoft Directly to get the answer you are looking for. 
Thank you.