Conditional Access – Administrator Microsoft Azure Management + Admin Portals Location Restriction

This policy implements location block that prevent access to the Microsoft Azure management portal and the Microsoft Admin portal from outside the corporate network. Both of these portals contain essential tenant-related settings that should only be accessible by authorized administrators from within the corporate network.

In addition to location lock restrictions, consider implementing MFA as a requirement for all administrators when accessing either portal. MFA is an essential component of a comprehensive security posture for privileged accounts and regular users.

Here are some of the benefits of this policy:

To improve security: By restricting access to the Azure portal to specific locations, you can make it more difficult for attackers to gain access to your Azure resources. Even if an attacker is able to obtain an administrator’s credentials, they will not be able to access the Azure portal if they are not in a trusted location.
To reduce the risk of data breaches: Data breaches are a major concern for businesses of all sizes. By restricting access to the Azure portal to specific locations, you can help to reduce the risk of a data breach occurring, even if an attacker is able to obtain an administrator’s credentials.
To improve the security posture of the organization: By restricting access to the Azure portal to specific locations, you can help to improve the overall security posture of the organization.

Here are some specific examples of scenarios where you might want to restrict access to the Azure portal for admins with location restrictions:

You have an office in a country with a high risk of cyberattacks. You can restrict access to the Azure portal for admins to only allow access from trusted locations, such as your corporate office.
You have a cloud-based application that contains sensitive customer data. You can restrict access to the Azure portal for admins to only allow access from locations where your customer data is stored.
You have a team of IT administrators who work remotely. You can restrict access to the Azure portal for admins to only allow access from trusted locations, such as the employee’s home or office.

Goal: Create a policy to block access to Microsoft Azure management and admin portal from outside corporate network.

Azure and Admin portal location Block

The policy applies to the critical administrator roles that it is assigned to. When excluding users from the policy, always exclude the current user and include the glass break group to prevent accidentally locking yourself or the emergency account out.

Name: 8.[Admins] [Azure Management + Admin Portal]_Untrusted_Location_Block

Assignments:
Users:
Include:
Directory Roles:

Application Administrator
Application Developer
Authentication Administrator
Authentication Extensibility Administrator
B2C IEF Keyset Administrator
Billing Administrator
Cloud Application Administrator
Cloud Device Administrator
Conditional Access Administrator
Directory Writers
Exchange Administrator
Global Administrator
Global Reader
Helpdesk Administrator
Hybrid Identity Administrator
Intune Administrator
Password Administrator
Privileged Authentication Administrator
Privileged Role Administrator
Security Administrator
Security Operator
Security Reader
SharePoint Administrator
User Administrator

Exclude:
Break glass group
Current User

Target resources:
Include:
Microsoft Azure Management
Microsoft Admin Portals

Conditions:
Locations:
Include Any location
Exclude All trusted location 

Grant:
Block access

What does the Microsoft Azure Management target?

Azure management targets the following:

Azure Resource Manager
Azure portal, which also covers the Microsoft Entra admin center
Azure Data Lake
Application Insights API
Log Analytics API

Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted. For example: