Condititional Access blocks access to AAD Management portal

Copper Contributor

Hi,
I’m trying to build CA policy with a block all, unless policy.
Therefore I have setup a block all rule, and with an exception of the ‘Microsoft Azure Management’ cloud application.

The second rule I created is another block rule, for all users, and  the cloud application ‘Microsoft Azure Management’. In this rule I have configured the exception for a security group.

The third rule is the allow rule, and the requirements a user in the allowed security  group must met, to access the azure portal.

Now the issue.

A user can access to the azure portal, but when the user tries to enter the AAD management portal, the user gets blocked by conditional access. I have attached the sign attempts. The first one is the signin to portal.azure.com, the second one, which fails, is the one trying to access AAD management portal.

any ideas how to fix this?

 

 

11 Replies

@Bernard_Semplicita  it is not clear to me what your goal is?

And your first rule, what is the user/group scope?

 

What i am trying to achieve with CA is to block all access, unless an application/resource is specifically is allowed. To allow access to the azure portal if have created the described rules. But allthough 'AAD management' is part of the 'Windows Azure Service Management API' resource, it is blocked by CA. My question is why. Based on the CA rules, i should be able te access both.
Hi, I'm also finding it kind of difficult to understand your config (or at least the description). When you create policies using 'Microsoft Azure Management' app these are included.

Azure portal
Azure Resource Manager provider
Classic Service Management APIs
*Azure PowerShell
Visual Studio subscriptions administrator portal
Azure DevOps
Azure Data Factory portal
Azure Event Hubs
Azure Service Bus
Azure SQL Database
SQL Managed Instance
Azure Synapse

*Microsoft Azure Management application applies to Azure PowerShell, which calls the Azure Resource Manager API. It does not apply to Azure AD PowerShell, which calls Microsoft Graph.

If multiple policies apply, block will take precedence.

 

You can also check the details in the Conditional Access tab > Show details

bartvermeersch_0-1638730957555.png

 

hey guys, i know the basics.
But the main question is, why can i access the main azure portal itself, and CA is not blocking here, but, when i try to access the AAD management pane, CA is blocking.

I would like to know why, while both 'applications' are accessed/protected via the 'Microsoft Azure Management' cloud app, the result is not the same.
If you check the fail and succes log i attached, you can see the Application and Resource are the same.


Hi, I can actually reproduce the exact dumps you attached when using the "whitelist approach", i.e. 'block all cloud apps, except' and only adding a few (incl. Azure Management app). No other policies on the test user. Let me know if you stumble across something you've previously overlooked, thanks.

@Bernard_Semplicita 

Have you selected "All cloud apps" in the first block rule?
If so, what happens if you edit the rule to block only the cloud apps that are selectable in the list?

As is mentioned in the documents below, not all Azure services are onboarded for conditional access, so maybe there is some backend service that is required to access Azure AD, that is currently being blocked?
One would think that the service in question would show up in the sign in logs as being blocked though..
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...

Yeah, I agree that there's probably something backend causing this and was thinking about it in the same way, but too lazy doing just that 🙂 Will probably do some more testing when work allows for it.

@Jonhed
manually selecting all cloud apps, instead of the 'all cloud apps' does work. I also noticed, it is not just the AAD management portal being blocked, also the endpoint manager portal is blocked, when i use the default option 'All cloud apps'

When manual selecting the apps, this portal is also available again.

Great, no need for testing then!
I'm going to create a ticket with MS. Manually selecting all apps might be a workarround, but not the one i would like to use.
Will post an update when i have one.