question

shockoQA avatar image
0 Votes"
shockoQA asked ·

App Registrations and Conditional Access

This might be a dumb question but why do conditional access policies not apply to entities access AzureAD via an app registration? We are building some automation script to run in our DataCentre as per [this][1] guide. Security teams have been asking how to lock downs its access so that AzureAD only accepts connection to it form our DataCentre. If this was an AzureAD user we could do this via conditional access but it's not.


[1]: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-authenticate-service-principal-powershell

azure-ad-conditional-access
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
1 Vote"
soumi-MSFT answered ·

Hello @shockoQA, thank you for reaching out. I checked the link shared by you and the PS cmdlets used there are basically used to create a service principal in AAD. The steps mentioned in that article doesn't include any authentication step. The authentication step is required as a Conditional Access Policy gets triggered only after the Authentication happens successfully for the user. But if the authentication is happening in the application's context or trying to login to AAD using Service Principals, CA policy won't work there. They are normally used by back-end services allowing programmatic access to applications but are also used to sign in to systems for administrative purposes.

What you can do is block access to your Azure Portal from the Internet and just keep the access open for your Datacenter, so that only your data center can access the Azure Portal. But there are no CA Policies available to block PowerShell logins or Logins using Service Principals.

To set up that block you need to create Named Locations in CA policies and add the specific Datacenter IP or IP Range in /32 CIDR format.

Steps:

  • Navigate to Azure Portal > Azure Active Directory > Security > Conditional Access > Named locations > +New Location > Type a name and add IP address that you want to allow .

  • Navigate to Azure Portal > Azure Active Directory > Security > Conditional Access > Policies > +New Policy > Configure below settings:

  • Users and Groups : Select required users.

  • Cloud apps or actions : Select apps > Microsoft Azure Management.

  • Conditions : Locations > Include > Any location. Exclude > select the location created in first step,.

  • Grant : Block access

  • Enable policy > On > Click on Create button.

This will block access to Azure Portal from Any location, except your custom location. More details on Named Locations can be found here: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.





·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

shockoQA avatar image
0 Votes"
shockoQA answered ·

Thanks for the details answer! much appreciated.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.