How to block access to group of users with directory roles

Question

In my tenant, I want to restrict access to few users to my application even they have directory admin roles.

I'm thinking of implementing conditional access policy. I have premium p2 license, is this sufficient to work with conditional access?

How to create policy to restrict access to admins? Any help is appreciated

Answer 1

I tried to reproduce the same in my environment and got below results:

I have created one Azure AD group named AppAdminCA by adding 'Application Admin' role to that group like below:

This means every user in that group has 'Application Admin' role. Note that, Application Admin role don't have access to modify conditional access policies.

To restrict access for these users to a specific application, you can create "Conditional access policy" like below:

Go to Azure Portal -> Azure Active Directory -> Security -> Conditional Access -> Policies -> New policy

In Users field, you can select either Users with Directory role or the above created group like below:

In Cloud apps field, select that particular application to which you want to block access as below:

In Access controls field, select Block access and click on Create by enabling the policy:

You can find the created conditional policy here: