Forum Discussion

Ottovw's avatar
Ottovw
Copper Contributor
Oct 15, 2021
Solved

Block user access to Azure AD Powershell with Conditional Access

I can't find any way to block access to Azure AD PowerShell with Conditional Access policy. For normal users without any Azure AD role, it's possible to read other user information in Azure AD PowerS...
Azure Active Directory (AAD)
  • dvohasek's avatar
    dvohasek
    Nov 16, 2021

    Ottovw 

     

    I've had the same trouble you've had.  However, there is a way to block this via conditional access policies.  As luck would have it, we have a report only policy that blocks most things for testing purposes.  Looking at Azure logs I could see that if we had enabled that policy we would have triggered azure active directory powershell and it would have blocked it!  So what I did was I created a policy that included all cloud apps and then just excluded the ones we use in our other policies (which were a few) and boom... MFA prompted.  It seems that the azure active directory is in the enterprise apps (as you can do searches and see logs on activity) but its "hidden".  There might be a way to powershell it since i can find an application ID, but thats down the line.

     

    Hope that helps.  Godspeed

Ottovw's avatar
Ottovw
Copper Contributor
Nov 17, 2021
Thank you for your reaction! It's for now the best solution. I hope Microsoft will add a dedicated conditional access policies for Azure AD Powershell in the near future.
ChristianJBergstrom's avatar
ChristianJBergstrom
MVP
Nov 18, 2021
Hello, the Microsoft Azure Management application applies to Azure PowerShell, which calls the Azure Resource Manager API. As you noticed it does not apply to Azure AD PowerShell, which calls Microsoft Graph.

As mentioned above the way to go is instead the "except approach" where you only add those apps/services in CA that should work, and also usually for externals.

Resources