Forum Discussion
Block user access to Azure AD Powershell with Conditional Access
I've had the same trouble you've had. However, there is a way to block this via conditional access policies. As luck would have it, we have a report only policy that blocks most things for testing purposes. Looking at Azure logs I could see that if we had enabled that policy we would have triggered azure active directory powershell and it would have blocked it! So what I did was I created a policy that included all cloud apps and then just excluded the ones we use in our other policies (which were a few) and boom... MFA prompted. It seems that the azure active directory is in the enterprise apps (as you can do searches and see logs on activity) but its "hidden". There might be a way to powershell it since i can find an application ID, but thats down the line.
Hope that helps. Godspeed
I've had the same trouble you've had. However, there is a way to block this via conditional access policies. As luck would have it, we have a report only policy that blocks most things for testing purposes. Looking at Azure logs I could see that if we had enabled that policy we would have triggered azure active directory powershell and it would have blocked it! So what I did was I created a policy that included all cloud apps and then just excluded the ones we use in our other policies (which were a few) and boom... MFA prompted. It seems that the azure active directory is in the enterprise apps (as you can do searches and see logs on activity) but its "hidden". There might be a way to powershell it since i can find an application ID, but thats down the line.
Hope that helps. Godspeed
- Hello, the Microsoft Azure Management application applies to Azure PowerShell, which calls the Azure Resource Manager API. As you noticed it does not apply to Azure AD PowerShell, which calls Microsoft Graph.
As mentioned above the way to go is instead the "except approach" where you only add those apps/services in CA that should work, and also usually for externals.
