Forum Discussion

Steph32UK's avatar
Steph32UK
Copper Contributor
Oct 31, 2022

Azure Sign-in Logs

Hi, I've been tracking some activity which I think is somewhat malicious. Within sign-in logs I've noticed quite a few failures from user accounts under application "Microsoft Azure CLI". Over the l...
azure
KurtBMayer's avatar
KurtBMayer
Iron Contributor
Nov 01, 2022

Steph32UK 

 

This would be an example of how to implement the extra check: Conditional Access - Require MFA for Azure management - Azure Active Directory - Microsoft Entra | Microsoft Learn. This way they'd need to prove the second factor even if they gain access to valid credentials.

 

You could make a variant on this to just block Azure Management for non-admins similar to the example described here: Block access to Azure Powershell Management (microsoft.com) or Block user access to Azure AD Powershell with Conditional Access - Microsoft Community Hub. In this case, you'd want to put your admins in a group that's excluded from the rule.

 

Please like and mark this thread as answered if it's helpful, thanks!

  • Steph32UK's avatar
    Steph32UK
    Copper Contributor
    Nov 02, 2022

    KurtBMayer 

    Hi Kurt,
    Many thanks for your reply and the useful links. Trying to get our Sys Admin team to get their skates on with the CA policies. We had a some Webshell attacks few weeks back so been pushing for these controls.
    Thanks,
    Stephen

Resources