SOLVED

App Registrations and Conditional Access

%3CLINGO-SUB%20id%3D%22lingo-sub-1756750%22%20slang%3D%22en-US%22%3EApp%20Registrations%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1756750%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20might%20be%20a%20dumb%20question%20but%20why%20do%20conditional%20access%20policies%20not%20apply%20to%20entities%20access%20AzureAD%20via%20an%20app%20registration%3F%20We%20are%20building%20some%20automation%20script%20to%20run%20in%20our%20DataCentre%20as%20per%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fhowto-authenticate-service-principal-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%3C%2FA%3E%20guide.%20Security%20teams%20have%20been%20asking%20how%20to%20lock%20downs%20its%20access%20so%20that%20AzureAD%20only%20accepts%20connection%20to%20it%20form%20our%20DataCentre.%20If%20this%20was%20an%20AzureAD%20user%20we%20could%20do%20this%20via%20conditional%20access%20but%20it's%20not.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1756750%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1760407%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Registrations%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1760407%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20what%20kind%20of%20answer%20you%20are%20expecting%20here%2C%20app%20logins%20simply%20arent%20supported%20for%20CA.%20On%20the%20positive%2C%20Microsoft%20just%20started%20surfacing%20login%20events%20for%20such%20scenarios%2C%20so%20hopefully%20CA%20will%20follow%20soon.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1762032%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Registrations%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1762032%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B.%20I%20guess%20I%20am%20asking%20'Why%20are%20they%20not%20supported'%20%3F%20It%20seems%20like%20having%20simple%20IP%20restriction%20capability%20against%20them%20is%20highly%20desirable.%20I%20know%20app%20registrations%20are%20available%20on%20the%20free%20tier%20and%20conditional%20access%20is%20not.%20Perhaps%20that%20is%20one%20driver%20behind%20the%20scenes%20(who%20knows).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20a%20clientID%2FSecret%20combination%20or%20clientID%2FCert%20is%20difficult%20to%20brute%20force%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

This might be a dumb question but why do conditional access policies not apply to entities accessing AzureAD via an app registration? We are building some automation scripts to run in our DataCentre as per this guide. Security teams have been asking how to lock down script access so that AzureAD only accepts connection from our DataCentre. If this was an AzureAD user we could do this via conditional access but it's not.

 

3 Replies
Highlighted

Not sure what kind of answer you are expecting here, app logins simply arent supported for CA. On the positive, Microsoft just started surfacing login events for such scenarios, so hopefully CA will follow soon.

Highlighted

Thanks@Vasil Michev . I guess I am asking 'Why are they not supported' ? It seems like having simple IP restriction capability against them is highly desirable. I know app registrations are available on the free tier and conditional access is not. Perhaps that is one driver behind the scenes (who knows). 

 

I guess a clientID/Secret combination or clientID/Cert is difficult to brute force?

Highlighted
Best Response confirmed by shockotechcom (Contributor)
Solution

That's something only Microsoft can answer. But the reality is that you cannot limit logins, at least for the time being.