SOLVED

App Registrations and Conditional Access

%3CLINGO-SUB%20id%3D%22lingo-sub-1756750%22%20slang%3D%22en-US%22%3EApp%20Registrations%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1756750%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20might%20be%20a%20dumb%20question%20but%20why%20do%20conditional%20access%20policies%20not%20apply%20to%20entities%20access%20AzureAD%20via%20an%20app%20registration%3F%20We%20are%20building%20some%20automation%20script%20to%20run%20in%20our%20DataCentre%20as%20per%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fhowto-authenticate-service-principal-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%3C%2FA%3E%20guide.%20Security%20teams%20have%20been%20asking%20how%20to%20lock%20downs%20its%20access%20so%20that%20AzureAD%20only%20accepts%20connection%20to%20it%20form%20our%20DataCentre.%20If%20this%20was%20an%20AzureAD%20user%20we%20could%20do%20this%20via%20conditional%20access%20but%20it's%20not.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1756750%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1760407%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Registrations%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1760407%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20what%20kind%20of%20answer%20you%20are%20expecting%20here%2C%20app%20logins%20simply%20arent%20supported%20for%20CA.%20On%20the%20positive%2C%20Microsoft%20just%20started%20surfacing%20login%20events%20for%20such%20scenarios%2C%20so%20hopefully%20CA%20will%20follow%20soon.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1762032%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Registrations%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1762032%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B.%20I%20guess%20I%20am%20asking%20'Why%20are%20they%20not%20supported'%20%3F%20It%20seems%20like%20having%20simple%20IP%20restriction%20capability%20against%20them%20is%20highly%20desirable.%20I%20know%20app%20registrations%20are%20available%20on%20the%20free%20tier%20and%20conditional%20access%20is%20not.%20Perhaps%20that%20is%20one%20driver%20behind%20the%20scenes%20(who%20knows).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20a%20clientID%2FSecret%20combination%20or%20clientID%2FCert%20is%20difficult%20to%20brute%20force%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1763074%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Registrations%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1763074%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20something%20only%20Microsoft%20can%20answer.%20But%20the%20reality%20is%20that%20you%20cannot%20limit%20logins%2C%20at%20least%20for%20the%20time%20being.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

This might be a dumb question but why do conditional access policies not apply to entities accessing AzureAD via an app registration? We are building some automation scripts to run in our DataCentre as per this guide. Security teams have been asking how to lock down script access so that AzureAD only accepts connection from our DataCentre. If this was an AzureAD user we could do this via conditional access but it's not.

 

3 Replies

Not sure what kind of answer you are expecting here, app logins simply arent supported for CA. On the positive, Microsoft just started surfacing login events for such scenarios, so hopefully CA will follow soon.

Thanks@Vasil Michev . I guess I am asking 'Why are they not supported' ? It seems like having simple IP restriction capability against them is highly desirable. I know app registrations are available on the free tier and conditional access is not. Perhaps that is one driver behind the scenes (who knows). 

 

I guess a clientID/Secret combination or clientID/Cert is difficult to brute force?

best response confirmed by shockotechcom (Contributor)
Solution

That's something only Microsoft can answer. But the reality is that you cannot limit logins, at least for the time being.