Home

Conditional Access with Azure Registered App

%3CLINGO-SUB%20id%3D%22lingo-sub-1278478%22%20slang%3D%22en-US%22%3EConditional%20Access%20with%20Azure%20Registered%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1278478%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20way%20to%20restrict%20access%20to%20an%20Azure%20AD%20registered%20application%20based%20on%20IP%20address%20or%20location%20when%20the%20said%20application%20is%20using%20a%20client%20secret%20because%20of%20its%20use%20as%20a%20Windows%20Service%20for%20example.%20so%20no%20underlying%20user%20to%20pass%20credentials%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20would%20mean%20there%20is%20no%20username%20passed%20to%20Azure%20AD%20in%20order%20to%20evaluate%20against%20a%20conditional%20access%20policy%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20else%20seen%20this%20scenario%20or%20have%20a%20solution%20for%20it%3F%20is%20there%20even%20a%20solution%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1278478%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eca%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1279265%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20with%20Azure%20Registered%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1279265%22%20slang%3D%22en-US%22%3E%3CP%3EConditional%20access%20is%20not%20supported%20for%20the%20client%20credential%20auth%20flow.%20Add%20restrictions%20in%20the%20app%20itself%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1279288%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20with%20Azure%20Registered%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1279288%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20risk%20i'm%20trying%20to%20mitigate%20is%20a%20client%20secret%20being%20used%20maliciously%20outside%20of%20the%20corporate%20network%2C%20while%20yes%20you%20could%20add%20restrictions%20in%20an%20app%2C%20there%20is%20nothing%20stopping%20a%20dev%20sitting%20at%20home%20with%20the%20client%20secret%20and%20using%20there%20own%20app%20to%20extract%20the%20data%20...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20least%20with%20a%20set%20of%20credentials%20they%20would%20have%20to%20pass%20through%20an%20identity%20provider%20and%20hit%20either%20a%20limit%20on%20ADFS%20or%20conditional%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20nothing%20stopping%20the%20use%20of%20a%20client%20secret%20anywhere%20in%20the%20world%20from%20what%20i%20can%20see%2C%20also%20i%20don't%20think%20i%20can%20see%20logins%20to%20an%20app%20with%20a%20client%20secret%20in%20the%20sign-in%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1279431%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20with%20Azure%20Registered%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1279431%22%20slang%3D%22en-US%22%3E%3CP%3EAll%20this%20is%20true%2C%20and%20part%20of%20the%20reason%20why%20the%20certificate%20method%20is%20%22recommended%22%20over%20client%20secret.%20But%20yeah%2C%20Microsoft%20can%20definitely%20improve%20things%20a%20bit%20on%20that%20front.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Is there a way to restrict access to an Azure AD registered application based on IP address or location when the said application is using a client secret because of its use as a Windows Service for example. so no underlying user to pass credentials?

 

This would mean there is no username passed to Azure AD in order to evaluate against a conditional access policy?

 

Has anyone else seen this scenario or have a solution for it? is there even a solution?

3 Replies
Highlighted

Conditional access is not supported for the client credential auth flow. Add restrictions in the app itself?

Highlighted

The risk i'm trying to mitigate is a client secret being used maliciously outside of the corporate network, while yes you could add restrictions in an app, there is nothing stopping a dev sitting at home with the client secret and using there own app to extract the data ...

 

At least with a set of credentials they would have to pass through an identity provider and hit either a limit on ADFS or conditional access.

 

But nothing stopping the use of a client secret anywhere in the world from what i can see, also i don't think i can see logins to an app with a client secret in the sign-in logs.

Highlighted

All this is true, and part of the reason why the certificate method is "recommended" over client secret. But yeah, Microsoft can definitely improve things a bit on that front.