Microsoft Entra ID provides robust tools for managing access to resources through Conditional Access (CA) policies. However, some service principals representing certain resources cannot be directly included in CA policies. To address this, we can use custom security attributes to control access to these resources. This blog will guide through the process of creating and applying custom security attributes to service principals, enabling or blocking them through Conditional Access policies.
Understanding the Challenge:
Service principals often represent applications or resources within Azure environment. While Conditional Access policies are excellent for enforcing access controls, certain service principals cannot be directly targeted. This necessitates an alternative approach to apply CA policies to such resources.
By using custom security attributes, we can create a flexible and manageable solution to include these service principals in our Conditional Access strategy.
Steps to Use Custom Security Attributes for Service Principals:
- Add a new custom security attributes allow us to tag service principals so that it can be used in Conditional Access policies. To begin, define a custom security attribute using PowerShell.
Example of PowerShell Command:
# Create a new custom attribute definition from PowerShell
$params = @{
Id = "HR"
Description = "Attributes for HR team"
MaxAttributesPerSet = 25
}
$customSecurityAttributes = New-MgDirectoryAttributeSet -BodyParameter $params
- Create service principal for the resource which we want to control
# Create a new service principal
$servicePrincipal = New-MgServicePrincipal -AppId <AppId>
- Assign the Custom Security Attribute to a Service Principal once the custom security attribute is created.
# Assign the custom security attribute to the service principal
Update-MgServicePrincipal -ServicePrincipalId $ServicePrincipal -CustomSecurityAttributes $customSecurityAttributes
- Configure Conditional Access Policy to evaluates the custom attribute.
- Open the Entra admin center.
- Navigate to Security > Conditional Access.
- Create a new policy and define its scope like All Users or Groups.
- In the Target resources section, use select resources.
- Click on Edit Filter and select custom security attributes created above
- Test the Policy to validate that the Conditional Access policy behaves as expected:
- Attempt access to the resource represented by the service principal.
- Verify that access is either allowed or blocked based targeted resource and grant control
Real-World Use Case:
Imagine we have an application represented by a service principal, which handles sensitive operations. However, this service principal is not available for direct inclusion in a Conditional Access policy. By assigning a custom security attribute to the service principal, we can:
- Enforce stricter access controls.
- Block or allow access based on the defined Conditional Access policy.
This approach not only addresses the limitation of directly targeting service principals but also provides a scalable way to manage access for multiple resources.
Conclusion:
Custom security attributes empower administrators to leverage Conditional Access policies for such service principals. By tagging service principals with custom security attribute in CA policies, we gain finer control over access to critical resources. This method is especially useful for resources that cannot be directly added to CA policies, ensuring our organization's security and compliance requirements are met efficiently.
Start exploring custom security attributes today to enhance your Conditional Access strategy and secure your Azure environment effectively!
Microsoft