With Spring Security, we can define a role, for example, ACTUATOR_ADMIN, and make the endpoints only accessible to authenticated users who are in this role, as shown in the following:

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
   ...
  protected void configure(HttpSecurity http) throws Exception {
    http
      ...
        .antMatchers(PUBLIC).permitAll()
        .requestMatchers(EndpointRequest.toAnyEndpoint()).
        hasAnyRole("ACTUATOR_ADMIN")
        .anyRequest().authenticated()
      ...
  }
  ...
} 

In application.properties, we will comment out the port setting, as in the following:

# management.server.port=9000

In this way, we can access the Actuator's endpoints with an authenticated user who has the required role.