In a on-premise Active Directory a normal user can read the directory by default using a LDAP browser. We put firewall and other security measure in place so that it is impossible to reach from the outside.

When we sync all our users to Azure Active Directory – I often see that no security measure are in place. In my work I see a lot of installations where ADFS is the only security measure – ADFS is used to login in to Azure AD without having the users password in the cloud – but the ADFS is setup to allow all authenticated users.

Last week I was at a customer where I showed them that a standard user can get access to browse there AzureAD users, groups and enterprise apps in the AzureAD. This was not acceptable by there security department, and I totally agree. So we used Azure AD conditional access to control the access both for on-premise users and cloud only users.


What is the problem:

When a user log in to the old Azure AD portal the user gets this message:

windowsazure portal

No access – no problem!

When the user log in to the new Azure AD portal the use gets this:

Azure AD - standard user - 01

Yes there is settings and data a standard users cannot see, like “Users Sign-ins” and the user cannot change anything in AzureAD.

It is the same if the standard user logs in to but then the user can see under “My permissions” that there is no access to any subscriptions and there is no access to other resources in Azure.

Azure AD - standard user - 02

Standard user can create a support ticket on:

  • Billing
  • Subscription management

Azure AD - standard user - 03.png

What is the solutions:

The quick fix for this is Conditional Access on the cloud App Microsoft Azure Management.

How to setup Conditional Access for Microsoft Azure Management:

Login with a admin to

Azure AD - CA Portal - 00

Go to Security – Conditional access

Azure AD - CA Portal - 01

Click New policy

Azure AD - CA Portal - 02

Give the CA policy a name

Click on Users and groups

Azure AD - CA Portal - 03

Select All users

Remember to select a Exclude user or you have removed your access to change this policy

Azure AD - CA Portal - 04

Select Exclude

Click Select excluded users

Azure AD - CA Portal - 05

Select a group with least one global admin !!!

Azure AD - CA Portal - 06

Select Cloud apps

Azure AD - CA Portal - 07

Click Select apps

Search for Microsoft Azure Management and select the app

Azure AD - CA Portal - 08

Select Conditions

Azure AD - CA Portal - 09

Select Client apps

Click Yes – the both Browser and Mobile apps and desktop clients will be blocked

Info: Use Locations if you only whats this to apply outside your trusted network

Azure AD - CA Portal - 10

Select Grant

Azure AD - CA Portal - 10a.png

Click Block access

Azure AD - CA Portal - 11

Click On to enable the Conditional Access policy

Azure AD - CA Portal - 12

Now you have blocked the access for standard users from accessing your AzureAD.

When the policies is in effect the user will get this message when accessing the Azure portal from a browser or from the mobile Azure app

Azure AD - CA Portal - 13

There is also another way to do this:

Conditional Access requires Azure AD Premium license – if you don’t have that there is also another way.

This will only apply to standard users – and not a user with privileged access (User administrator, password administrator, etc.) and you cannot do inside/outside rule like in the Conditional Access.

Inside the Azure AD you can set:

Go to User settings – Administration portal

Restrict Access to Azure AD administration portal to Yes.

AzureAD Restrict Access

This will not block your users from accessing

AzureAD Restrict Access 00

This will only create a Access denied when accessing the AzureAD.

AzureAD Restrict Access 01