How to block access to group of users with directory roles - azure

In my tenant, I want to restrict access to few users to my application even they have directory admin roles.
I'm thinking of implementing conditional access policy. I have premium p2 license, is this sufficient to work with conditional access?
How to create policy to restrict access to admins? Any help is appreciated

I tried to reproduce the same in my environment and got below results:
I have created one Azure AD group named AppAdminCA by adding 'Application Admin' role to that group like below:
This means every user in that group has 'Application Admin' role. Note that, Application Admin role don't have access to modify conditional access policies.
To restrict access for these users to a specific application, you can create "Conditional access policy" like below:
Go to Azure Portal -> Azure Active Directory -> Security -> Conditional Access -> Policies -> New policy
In Users field, you can select either Users with Directory role or the above created group like below:
In Cloud apps field, select that particular application to which you want to block access as below:
In Access controls field, select Block access and click on Create by enabling the policy:
You can find the created conditional policy here:

Related

Azure conditional access by device name

I want to limit access to Azure P2S VPN by computername. What I did:
I configure one conditional policy to block all users(Pol1).
Second conditional policy(Pol2):
All Users
In Cloud apps or actions I selected Azure VPN
Conditions - Filter for devices - Include filtered devices in policy
displayName contains MyComputerName
deviceID equals MyDeviceID (I got it using dsrgcmd /status)
Access controls -Grant access - Require multifactor authentication
When I am trying to connect with Azure VPN I see in Sign-in logs Pol1 failed. (Block access for all). Pol2 is Not Applied. Why? I specified to check out for Name or ID...
Next step instead of second policy I created a policy that Grant only for following:
Require multifactor authentication
Require domain-joined device
It doesn't work. I joined my computer to Azure AD - doesn't help. I still getting:
Not satisfied
Require multifactor authentication
Require domain-joined device
I am out of ideas... Any help will be appreciated!
I tried to reproduce the same in my environment and I got the results like below:
I have configured point to site vpn and connected successfully like below:
To Set MFA make sure. To set User assignment required as Yes to limit sign-in to only users that have permissions to the Azure VPN like below.
Enterprise application --> Azure VPN --> properties --> User assignment required. -> save
I have created group, added a limited member to access
In conditional access policy ->Assignments -> Users and groups -> include -> Add group like below
In Grant Require multi-factor authentication
In the Enable policy section -> click ON -> Create
Now when I try to connect with added group member it connected successfully.
When I try to access with another user it restricts like below
Reference:
Azure AD Authentication for Point to Site (P2S) VPN - Cloudthat | CloudThat
Update
I tried in my environment According to your scenario i have created policy 1.
Try to give block access for all user and in condition -> Filter& device -> exclude filtered device and provide your device id like below:
In policy 2, Now I have given Grant access for all user and you can Add device id and display name in include filtered device and grant access like below.

Azure User Admin right to delete guest users

I have User Admin role assigned and just noticed that am not able to delete external users.
the user admin has right: microsoft.directory/users/delete and i guess that is not enough.
the global admin has right: microsoft.directory/users/allProperties/allTasks
Create and delete users, and read and update all properties.
Do you know if there is any other role that grants the right to delete external users? or am i missing here something?
I have User Admin role assigned and just noticed that am not able to delete external users.
You can check user admin roles here. As per document as shown in below image for this User admin role Delete or Restore users is not applicable.
As per your requirement Global Administrator has this delete user access privilege. Here you can go through Global Administrator rights.
there is any other role that grants the right to delete external users?
AFAIK the Global Administrator role is the only built-in role in Azure AD that grants the ability **to delete external users but If you do not want to assign the Global Administrator role but still you want to be able to delete external users, you can create a custom role and assign the "microsoft.directory/users/delete" permission to it.
In Azure You can create custom role in different ways like
~Using Azure portal.
~Using PowerShell
~Using CLI
To create custom role using portal check your custom role is enabled or disabled as shown in below image Select your subscription or Resource group >> Access control >> +Add >> Add Custom role.
Creating Custom role is bit complicated if you are ok with custom role follow these detailed steps in create custom role MS Document using Azure Portal.
Create Custom role Using PowerShell

access to enterprise application (EA) in Azure

what is a significance of "Users and groups" under EA?
adding a person will give same access to person as that EA?
adding a SP will do what? added SP will not have same access as EA?
Just creating the identity (User type or Service Principal) you will not give any role.
After you create the user, you can assign any role that you require to give to the identity.
Assign Azure AD
Sign in to the Azure AD admin center.
Select Azure Active Directory > Roles and administrators to see the list of all available roles.
Select a role to see its assignments.
To help you find the role you need, use Add filters to filter the roles.
Select Add assignments and then select the users you want to assign to this role.
If you see something different from the following picture, you might have PIM enabled. See the next section.
Select Add to assign the role.
Source: https://learn.microsoft.com/en-us/azure/active-directory/roles/manage-roles-portal
To Grant a user access to Azure resources you can follow this tutorial https://learn.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portal
Hopes this Helps!
The users and groups tab specifies who can access the application. This is based on the assumption that the app is 'closed' in the properties tab.

Restricting Member permissions on azure active directory

We have developed a webapp and configured its authentication to use our Azure Active Directory tenant. This works fine. We have clients which are other organizations and when a user from one of those clients authenticates they are presented with content that is specific to their organization. This also works fine.
Under the hood: To accomplish this, in our tenant we have created groups (one for each client) and we have invited users from those clients and assigned them to the appropriate groups (after they are added we have to manually change their user type from 'Guest' to 'Member')
Problem:
If one of our clients signs in to Azure AD they are able to see ALL other groups and all other users. They are also able to add and delete groups and do virtually everything our global administrator account can! This tells me we have done something very very wrong. We are new to Azure AD and there appears to be very much about it that we do not understand.
What I've tried.
Read about administrative units (that doesn't seem to be it)
Roles and administrators: this page has a long list of roles which have check boxes next to them that appear to do nothing.
Home > Tenant > Users > Username > Assigned Roles > Add Assignment: I can select from any of that same list of roles but they are all different kinds of administrators. This would seem to be granting more permissions, not taking them away.
Home > Tenant > Groups > Groupname > Roles and Administrators: This page simply says "no roles found"
Essentially I need our members to not be able to do anything on azure AD except return a list of the groups they are in as well as their own details (name, email, profile picture, etc.)
Assuming you are adding the client users in a specific that group itself already have some admin privileged/Global Administrator/Directory writer Permission.
In that case only user can do operations on group and other users’ data.
Would suggest you check at the Group->Role and administrator & User->Role and Administrator should have only Directory Read permission.
For me in User->Assigned Role->Active Assignment only have Directory Read Role permission so I can only see my details and list of groups that is present in Active Directory but can not do any operation on any group/users like write/delete/update expect read.
Note: To assigned role at the group level you require an Azure AD Premium P1 license.
Update
For assiging role to group please go through in this way---
AAD->Role and Adminsitrator-> Select Role->Add Assigment->Select Member(Group)

How to Add users to different group in Azure AD B2C during Registration

Is it possible to add users to different groups based on the url they are coming from. All users to be added under the same Azure B2C directory but under different group during registration.
Example:
www.admin.com - User should go to "Admin" group.
www.user.com - User should go to "Users" group.
Thanks :)
You could use azure ad dynamic user group to do that, when you create a dynamic group with rules, the system evaluates all rules in a directory to see if the change would trigger any group adds or removes. If a user satisfies a rule on a group, they are added as a member of that group.
Reference - Dynamic membership rules for groups in Azure Active Directory
In your case, create the dynamic user group Admin, to add the users to the Admin group, you just need to add the rule like (user.userPrincipalName -match ".*admin.com*."), another one is the same logic.
After the system updated the group completely, it will appear like below.

Resources