SOLVED

Block user access to Azure AD Powershell with Conditional Access

%3CLINGO-SUB%20id%3D%22lingo-sub-2849183%22%20slang%3D%22en-US%22%3EBlock%20user%20access%20to%20Azure%20AD%20Powershell%20with%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2849183%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can't%20find%20any%20way%20to%20block%20access%20to%20Azure%20AD%20PowerShell%20with%20Conditional%20Access%20policy.%20For%20normal%20users%20without%20any%20Azure%20AD%20role%2C%20it's%20possible%20to%20read%20other%20user%20information%20in%20Azure%20AD%20PowerShell.%20There%20is%20a%20Cloud%20app%26nbsp%3B%3CSTRONG%3EMicrosoft%20Azure%20Management%26nbsp%3B%3C%2FSTRONG%3Ewhich%20can%20be%20used%20for%20Conditional%20Access%20policy%2C%20but%20is%20%3CU%3Enot%3C%2FU%3E%20including%20Azure%26nbsp%3B%3CSTRONG%3EAD%3C%2FSTRONG%3E%20PowerShell.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Ottovw_1-1634289150750.png%22%20style%3D%22width%3A%20712px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317613iFA1F333BA4449623%2Fimage-dimensions%2F712x340%3Fv%3Dv2%22%20width%3D%22712%22%20height%3D%22340%22%20role%3D%22button%22%20title%3D%22Ottovw_1-1634289150750.png%22%20alt%3D%22Ottovw_1-1634289150750.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20try%20to%20enable%20at%20least%20MFA%20for%20the%20use%20of%20Azure%20AD%20PowerShell%20to%20downscale%20the%20security%20risks%20(compromised%20accounts%20and%20reconnaissance)%20but%2C%20I%20have%20the%20same%20problems.%20It%20seems%20impossible%20to%20enforce%20MFA%20and%20PowerShell%20without%20the%20use%20of%20global%20Azure%20AD%20setting%20%E2%80%9C%3CSTRONG%3EEnable%20Security%20Defaults%E2%80%9D%3C%2FSTRONG%3E%26nbsp%3Benabled.%20When%20enabled%20(test%20tenant)%20it's%20enforcing%20MFA%20when%20trying%20to%20connect%20to%20Azure%20AD%20PowerShell.%20However%2C%20the%20use%20of%20Conditional%20Access%20policies%20is%20more%26nbsp%3Bdesirable%20for%20better%20control%20and%20therefore%20the%20security%20defaults%20are%20not%20applicable.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20also%20find%20%3CA%20href%3D%22https%3A%2F%2Fo365blog.com%2Fpost%2Flimit-user-access%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ethis%3C%2FA%3E%3A%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CPRE%3E%3CSPAN%20class%3D%22%22%3ESet-MsolCompanySettings%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3E-UsersPermissionToReadOtherUsersEnabled%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3E%24false%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3EBut%20this%20results%20in%20p%3CSPAN%3Eroblems%20in%26nbsp%3BTeams%20a%3C%2FSPAN%3E%3CSPAN%3End%20Planner%3A%20users%20will%20not%20able%20to%20add%20new%20members.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20ideas%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2849183%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%20-%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

I can't find any way to block access to Azure AD PowerShell with Conditional Access policy. For normal users without any Azure AD role, it's possible to read other user information in Azure AD PowerShell. There is a Cloud app Microsoft Azure Management which can be used for Conditional Access policy, but is not including Azure AD PowerShell. 

 

Ottovw_1-1634289150750.png

 

So I try to enable at least MFA for the use of Azure AD PowerShell to downscale the security risks (compromised accounts and reconnaissance) but, I have the same problems. It seems impossible to enforce MFA and PowerShell without the use of global Azure AD setting “Enable Security Defaults” enabled. When enabled (test tenant) it's enforcing MFA when trying to connect to Azure AD PowerShell. However, the use of Conditional Access policies is more desirable for better control and therefore the security defaults are not applicable. 

 

I have also find this

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

But this results in problems in Teams and Planner: users will not able to add new members.

 

Any ideas? 

4 Replies
best response confirmed by Ottovw (Occasional Contributor)
Solution

@Ottovw 

 

I've had the same trouble you've had.  However, there is a way to block this via conditional access policies.  As luck would have it, we have a report only policy that blocks most things for testing purposes.  Looking at Azure logs I could see that if we had enabled that policy we would have triggered azure active directory powershell and it would have blocked it!  So what I did was I created a policy that included all cloud apps and then just excluded the ones we use in our other policies (which were a few) and boom... MFA prompted.  It seems that the azure active directory is in the enterprise apps (as you can do searches and see logs on activity) but its "hidden".  There might be a way to powershell it since i can find an application ID, but thats down the line.

 

Hope that helps.  Godspeed

Thank you for your reaction! It's for now the best solution. I hope Microsoft will add a dedicated conditional access policies for Azure AD Powershell in the near future.
Hello, the Microsoft Azure Management application applies to Azure PowerShell, which calls the Azure Resource Manager API. As you noticed it does not apply to Azure AD PowerShell, which calls Microsoft Graph.

As mentioned above the way to go is instead the "except approach" where you only add those apps/services in CA that should work, and also usually for externals.

@Ottovw You can block Azure AD Powershell via Conditional Access policy, but not in GUI. You need to create policy via Powershell and API.

 

it is working for me:

https://call4cloud.nl/2020/11/the-conditional-access-experiment/