Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @shockoQA , thank you for reaching out. I checked the link shared by you and the PS cmdlets used there are basically used to create a service principal in AAD. The steps mentioned in that article doesn't include any authentication step. The authentication step is required as a Conditional Access Policy gets triggered only after the Authentication happens successfully for the user. But if the authentication is happening in the application's context or trying to login to AAD using Service Principals, CA policy won't work there. They are normally used by back-end services allowing programmatic access to applications but are also used to sign in to systems for administrative purposes.
What you can do is block access to your Azure Portal from the Internet and just keep the access open for your Datacenter, so that only your data center can access the Azure Portal. But there are no CA Policies available to block PowerShell logins or Logins using Service Principals.
To set up that block you need to create Named Locations in CA policies and add the specific Datacenter IP or IP Range in /32 CIDR format.
Steps:
- Navigate to
Azure Portal > Azure Active Directory > Security > Conditional Access > Named locations > +New Location > Type a name and add IP address that you want to allow. - Navigate to
Azure Portal > Azure Active Directory > Security > Conditional Access > Policies > +New Policy >Configure below settings: - Users and Groups : Select required users.
- Cloud apps or actions :
Select apps > Microsoft Azure Management. - Conditions :
Locations > Include > Any location. Exclude > select the location created in first step,. - Grant : Block access
-
Enable policy > On > Click on Create button.
This will block access to Azure Portal from Any location, except your custom location. More details on Named Locations can be found here: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.