cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Block user access to Azure AD Powershell with Conditional Access

Ottovw
Occasional Contributor

‎Oct 15 2021 02:18 AM - last edited on ‎Jan 14 2022 04:00 PM by

‎Oct 15 2021 02:18 AM - last edited on ‎Jan 14 2022 04:00 PM by

Block user access to Azure AD Powershell with Conditional Access

I can't find any way to block access to Azure AD PowerShell with Conditional Access policy. For normal users without any Azure AD role, it's possible to read other user information in Azure AD PowerShell. There is a Cloud app Microsoft Azure Management which can be used for Conditional Access policy, but is not including Azure AD PowerShell. 

 

Ottovw_1-1634289150750.png

 

So I try to enable at least MFA for the use of Azure AD PowerShell to downscale the security risks (compromised accounts and reconnaissance) but, I have the same problems. It seems impossible to enforce MFA and PowerShell without the use of global Azure AD setting “Enable Security Defaults” enabled. When enabled (test tenant) it's enforcing MFA when trying to connect to Azure AD PowerShell. However, the use of Conditional Access policies is more desirable for better control and therefore the security defaults are not applicable. 

 

I have also find this

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

But this results in problems in Teams and Planner: users will not able to add new members.

 

Any ideas? 

13.6K Views
0 Likes
4 Replies
Reply
4 Replies
best response confirmed by Ottovw (Occasional Contributor)
dvohasek

‎Nov 16 2021 01:20 PM

‎Nov 16 2021 01:20 PM

Solution

Re: Block user access to Azure AD Powershell with Conditional Access

@Ottovw 

 

I've had the same trouble you've had.  However, there is a way to block this via conditional access policies.  As luck would have it, we have a report only policy that blocks most things for testing purposes.  Looking at Azure logs I could see that if we had enabled that policy we would have triggered azure active directory powershell and it would have blocked it!  So what I did was I created a policy that included all cloud apps and then just excluded the ones we use in our other policies (which were a few) and boom... MFA prompted.  It seems that the azure active directory is in the enterprise apps (as you can do searches and see logs on activity) but its "hidden".  There might be a way to powershell it since i can find an application ID, but thats down the line.

 

Hope that helps.  Godspeed

0 Likes
Reply
Ottovw

‎Nov 17 2021 12:39 AM

‎Nov 17 2021 12:39 AM

Re: Block user access to Azure AD Powershell with Conditional Access

Thank you for your reaction! It's for now the best solution. I hope Microsoft will add a dedicated conditional access policies for Azure AD Powershell in the near future.
0 Likes
Reply
ChristianJBergstrom

‎Nov 18 2021 04:38 AM

‎Nov 18 2021 04:38 AM

Re: Block user access to Azure AD Powershell with Conditional Access

Hello, the Microsoft Azure Management application applies to Azure PowerShell, which calls the Azure Resource Manager API. As you noticed it does not apply to Azure AD PowerShell, which calls Microsoft Graph.

As mentioned above the way to go is instead the "except approach" where you only add those apps/services in CA that should work, and also usually for externals.
0 Likes
Reply
Kasia Persson

‎Dec 29 2021 03:54 AM

‎Dec 29 2021 03:54 AM

Re: Block user access to Azure AD Powershell with Conditional Access

@Ottovw You can block Azure AD Powershell via Conditional Access policy, but not in GUI. You need to create policy via Powershell and API.

 

it is working for me:

https://call4cloud.nl/2020/11/the-conditional-access-experiment/

 

 

2 Likes
Reply