cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restricting global admin powershell scheduled task

Ben Curran
Brass Contributor

‎Jan 08 2021 03:05 AM - last edited on ‎May 24 2021 02:37 PM by

‎Jan 08 2021 03:05 AM - last edited on ‎May 24 2021 02:37 PM by

Restricting global admin powershell scheduled task

Hi,

 

Hoping someone can help me. I have a global admin account which runs a powershell script weekly from an Azure VM on an internal network with no public IP. I would like to restrict this account to only be authorised to run from this internal VM, which I have tried to do using a CAP with a location based restriction on the internal subnet. The issue I face is when the script runs Azure assigns it a cloud IP, which is outside of the internal subnet, to carry out its tasks. I have no way of predicting this IP address so am unable to use CAP to restrict it.


Does anyone have any work arounds and are there alternative ways to run powershell scripts other than using an elevasted user account account on a VM.


Regards
Ben

Labels:
1,095 Views
1 Like
3 Replies
Reply
3 Replies
Thijs Lecomte

‎Jan 08 2021 08:24 AM

‎Jan 08 2021 08:24 AM

Re: Restricting global admin powershell scheduled task

Where is this script running from? You could check the IP's here (https://www.microsoft.com/en-us/download/details.aspx?id=56519)

I am personally not a fan of using a global admin for the script. Can't you use the Graph API with application permissions?

0 Likes
Reply
Daniel_Fors

‎Jan 12 2021 05:15 AM

‎Jan 12 2021 05:15 AM

Re: Restricting global admin powershell scheduled task

@Ben Curran 
As Thijs mentioned, I would stay away from scripts running as GA.
And is this VM only for this script? Maybe consider moving this script to a Workbook and schedule, or if you need logs etc, maybe an Azure Function. Then there is no worry about IP and blocking this script from ever "leaving" Azure.

Of course, depends on what the script does, but if it needs GA, it sounds like it runs towards Azure services.

1 Like
Reply
Ben Curran

‎Jan 14 2021 12:42 AM

‎Jan 14 2021 12:42 AM

Re: Restricting global admin powershell scheduled task

Hi both, thanks for your input. I have done some further investigation and it looks like we may be able to use an automation account for this task. I agree I also dont like using any account with GA for any task if it can be avoided. I'll see how we get on with this new direction and if it doesnt work, will look at what you have recommended

 

Thanks 

0 Likes
Reply