In Windows Admin Center (WAC), “gateway access” is controlled by the Allowed groups list on the gateway. The AZ-800 materials explain that membership in the local Administrators group on the WAC gateway still permits sign-in unless you explicitly scope access to specific groups in the Allowed groups list . The guidance further states that to restrict who can sign in to the WAC gateway, you must populate Allowed groups with one or more security groups (for example, a domain group) and remove broad principals (like BUILTIN\Users). Until you add at least one explicit group, existing administrators can continue to authenticate, which is why “everyone” appears able to sign in after only removing BUILTIN\Users. By adding a dedicated security group to Allowed groups, only members of that group can authenticate to the gateway UI; non-members are denied. Settings such as Performance profile or Require manage-as sessions to re-authenticate affect performance and remote management prompts, not gateway sign-in. Proxy bypass lists control outbound connectivity, not access control. Therefore, to prevent unauthorized sign-ins, configure Allowed groups with a specific security group and manage membership there.