none
Restricting "User" access to Azure portal RRS feed

  • Question

  • I'm sure this is a very basic question, but having found no answers elsewhere I'm sure someone here can help.  We're new to Azure, having recently signed up for Office 365.  I'm concerned to find that anyone with the directory role "User" can log into portal.azure.com and browse our Azure resources including all users.  A User also has access to UIs to create new VM's and sign up for Azure service plans.  Maybe a User can't actually make any changes (I don't know for sure - I haven't tried everything), but just to see these options there is disconcerting.  I'm very concerned that any of our users or anyone on the Internet who obtains user credentials by whatever means has access to look around - or worse.

    Is it possible to restrict Azure portal logins to just a specified set of users or just Global and Limited Administrators?  If not, is it possible to make sure that anyone with the User role sees nothing upon logging into the portal?  If neither of those is possible how can I be assured that Users at least cannot make any changes?  Thank you for any assistance.


    Monday, March 20, 2017 3:38 PM

Answers

  • I have just tested this with a new user in my tenant. This user is able to login to the portal, but they cannot see any of the resources I have deployed in Azure. The user is also not able to deploy an resources, and if they attempt to they are prompted to create a subscription. 

    When they are prompted to create a subscription, this does not allow them to create a subscription on my account, it just lets them sign up for their own free trial or pay as you go sub (for which they would have to add their own credit card).

    So as far as this goes, it seems to be working as intended, there is no leakage of resources and no ability for the user to create resources. The only thing they could do is used their AAD account to sign up for a subscription which they are paying for.

    As for the AD side of things, it is possible to prevent users from viewing this information in the portal. Just have an admin go to Ad User settings in the portal, and cahnge the setting for "Restrict access to Azure AD administration portal" to Yes. This will prevent users query AD in the portal. It does not however prevent them querying it through PowerShell or visual studio etc. I would suggest you spend some time looking at the other restrictions in this tab as well to make sure things are configured as you want.

    Users will always be able to query the directory somehow, be it using their mail client, Sharepoint, office tools etc. I think your going to have a hard time preventing users from knowing what other users are in the company. AD, and by extension Azure AD was never intended to be a security boundary between users inside the same directory.


    Sam Cogan Microsoft Azure MVP
    Blog | Twitter



    • Marked as answer by JW17 Tuesday, March 28, 2017 2:33 PM
    • Edited by SamCoganMVP Tuesday, March 28, 2017 5:16 PM
    Monday, March 27, 2017 7:24 PM

All replies

  • Access to Azure resources is controlled via RBAC. By default, any Azure AD-based user will not have permission to any Azure resources, so while they can "sign in" to the Azure portal, they will not be able to even see any of the resources in the Azure subscription(s) associated with their Azure AD tenant.

    More at https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is

    hth
    Marcin

    Monday, March 20, 2017 4:58 PM
  • Access to Azure resources is controlled via RBAC. By default, any Azure AD-based user will not have permission to any Azure resources, so while they can "sign in" to the Azure portal, they will not be able to even see any of the resources in the Azure subscription(s) associated with their Azure AD tenant.

    Thanks very much for your reply.  That makes perfect sense, but that doesn't seem to be what we're seeing here.  I was going to include a couple of images here to share what I see.  I discovered, though, that I can't include images or links until my account is "verified", however that happens, so I'll have to describe what I see.

    When I login to portal.azure.com as John Doe, who has the "User" directory role, I see the Microsoft Azure Dashboard.  Along the left side I see New, All resources, Resource groups, App services, etc.  To the right of that I see boxes for All resources/All subscriptions and Service health.  In the rightmost column I see "Get started", with options below for Virtual Machines, App Service, SQL Database, etc.  In short, this is the exact same view I have when I log into portal.azure.com as an Administrator.

    Further, as this John Doe user I can go to Azure AD > Users and groups > All users, where I can see all users in AAD.  I can then go to the John Doe user > Directory role, and verify that John is just a User.

    As if that's not enough, I can go to New > Compute, and choose to create a server.  From there I'm offered the opportunity to sign up for a new subscription - Free Trial, Pay-As-You-Go, etc.  That's where I stopped, however.

    If I understood correctly you said that a User should not be able to see any resources.  Is something wrong, then, in our Azure portal?  Alternatively, is it perhaps the case that we would actually expect a User to see all of these things but that they can't make any changes?


    • Edited by JW17 Monday, March 20, 2017 6:11 PM
    Monday, March 20, 2017 6:10 PM
  • It's been a week so I thought I'd try again.  Folks, I could seriously use some help on this.  We're a small school without a lot of resources, so I'm counting on the knowledgeable people on this forum.  I'm sure that any number of the members here could help, and I'd really appreciate a few minutes of your time.  Please help me determine whether what I've described is typical of what a person with the "User" role sees when logging in to portal.azure.com, and if it is how I can make sure that that access is as locked down and secure as possible.  Thanks very much.

    Monday, March 27, 2017 3:27 PM
  • When you say you see things like all resources etc. on the left, if you click on say "all resources" can you then see any actual resources inside that?

    On your Azure AD Comment, this is the same directory that you use for Office 365, so users don't really gain anything by being able to see users. As with normal AD, any user can query the directory for users, and even if you block them from doing so in the portal, they can still do it inside their office 365 applications.


    Sam Cogan Microsoft Azure MVP
    Blog | Twitter

    Monday, March 27, 2017 3:43 PM
  • When you say you see things like all resources etc. on the left, if you click on say "all resources" can you then see any actual resources inside that?

    On your Azure AD Comment, this is the same directory that you use for Office 365, so users don't really gain anything by being able to see users. As with normal AD, any user can query the directory for users, and even if you block them from doing so in the portal, they can still do it inside their office 365 applications.

    Thanks, I appreciate your time.  There is as yet nothing to see under "All resources" even under my admin accounts because I haven't created any resources.  However it's incomprehensible to me that a User is given the option to create resources and to sign up for an Azure subscription on behalf of the domain.  The fact that this UI is even present for a User makes me believe that either we have a rights issue or Microsoft has not sufficiently thought though the rights given to Users in the Azure portal.

    We're only trying Office 365, and only a few of our users have access to it.  With normal AD our users probably have no practical way to query our directory because of limits we place on the necessary management tools.  With Azure all they need is a web browser.  In addition, as is common in school settings we have a number of weakly secured AD accounts.  I don't want these to be an avenue for our users or outsiders to access our Azure portal.

    FWIW here's why all of this matters - I hope I have the chain right.  We need to begin deploying Windows 10, for which we need to be able to restrict our users to apps we place in the Windows Store for Business, for which we need to join our workstations to our Azure AD domain, for which we need to utilize Azure AD Connect, and before we use that to add hundreds of users to AAD we need to secure our Azure portal.

    Is what I've described that's visible to a User here similar to what Users can see in other organizations' Azure portals, or is our situation unusual?

    Monday, March 27, 2017 5:33 PM
  • I have just tested this with a new user in my tenant. This user is able to login to the portal, but they cannot see any of the resources I have deployed in Azure. The user is also not able to deploy an resources, and if they attempt to they are prompted to create a subscription. 

    When they are prompted to create a subscription, this does not allow them to create a subscription on my account, it just lets them sign up for their own free trial or pay as you go sub (for which they would have to add their own credit card).

    So as far as this goes, it seems to be working as intended, there is no leakage of resources and no ability for the user to create resources. The only thing they could do is used their AAD account to sign up for a subscription which they are paying for.

    As for the AD side of things, it is possible to prevent users from viewing this information in the portal. Just have an admin go to Ad User settings in the portal, and cahnge the setting for "Restrict access to Azure AD administration portal" to Yes. This will prevent users query AD in the portal. It does not however prevent them querying it through PowerShell or visual studio etc. I would suggest you spend some time looking at the other restrictions in this tab as well to make sure things are configured as you want.

    Users will always be able to query the directory somehow, be it using their mail client, Sharepoint, office tools etc. I think your going to have a hard time preventing users from knowing what other users are in the company. AD, and by extension Azure AD was never intended to be a security boundary between users inside the same directory.


    Sam Cogan Microsoft Azure MVP
    Blog | Twitter



    • Marked as answer by JW17 Tuesday, March 28, 2017 2:33 PM
    • Edited by SamCoganMVP Tuesday, March 28, 2017 5:16 PM
    Monday, March 27, 2017 7:24 PM
  • I checked the settings you mentioned and tightened things up as much as I can.   The "Restrict access to Azure AD administration portal" seems to be a very new setting.  I can find just one mention of it on the web so far in a Microsoft blog post within the last week.  Based on your findings I will trust that our Azure portal is about as secure as Microsoft allows it to be.  Thanks very much for your help!

    Tuesday, March 28, 2017 2:42 PM
  • this is now doable:
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started

    Sunday, August 20, 2017 7:50 PM
  • I saw that no one ever gave you the answer you were looking for.  I actually contacted Microsoft this week about the same issue.  I was able to get it resolved.  Although you cannot completely remove access to Azure, you can remove access to Azure AD.  

    Follow these steps.

    • Log in to Azure using a Global Administrator account https://portal.azure.com
    • In the left panel select Azure Active Directory
    • In the next blade select Users Settings
    • Then select the last option that says Restrict access to Azure AD administration portal

    A regular user will see an Access is Denied page when they they try to access the Azure AD.

    I did not include the screenshots, but I can if you need me to.  Just let me know.

    Good Luck,

    Cheston



    Wednesday, January 31, 2018 6:20 PM
  • Like others said, this can be done by configuring Restrict access to Azure AD administration portal

    http://www.windowstricks.in/2018/09/how-to-block-user-access-to-azure-portal.html


    Regards,
    Ganesamoorthy.S
    www.windowstricks.in)


    Sunday, September 30, 2018 5:21 PM
  • The last two answers only pertain to the AAD section (aad.portal.azure.com) of the overall Azure portal (portal.azure.com). It's even in the name of the setting.

    So, I guess, like the third most recent post above mentions, it's left to conditional access to really do the job?

    Saturday, November 24, 2018 2:27 AM
  • Yes conditional access is the only method suitable for this buuuuut and this is big BUUUUUT you should not do it. Why in hell do it? It's like giving 777 to a website but worse it's really not doing anything meaningful. You should simply close down the azure AAD section and you are good with it. A standard user is not able to do anything meaningful in the portal but you will always have to remember this damn conditional access policy once you want someone to do something in portal other than yourself. This is really annoying and I would never recommend doing it.
    Friday, August 23, 2019 4:50 PM