question

securethelogs avatar image
0 Votes"
securethelogs asked ·

Azure Management: Breakout PowerShell

Hey guys,

Is there any option or future solution to break out Powershell in Microsoft Azure Management.

At the minute, that is the only app that you can apply conditional access too however the apps inside are used differently.

With the admin restriction excluding PowerShell and VS, here is why I’m concerned:

https://securethelogs.com/2020/03/11/bypass-azuread-administration-portal-restriction/

azure-active-directoryazure-ad-authenticationazure-ad-conditional-access
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@securethelogs By default all users have permission to read directory objects such as users, groups, applications, service principals in there tenant via graph api. PowerShell and VS, make direct graph calls to Azure AD to fetch information, which is why we cannot use the same method as of Azure Portal to restrict access to Azure AD. Restricting read permission via graph api would break the core functionality. So the best we can do is to restrict access to trusted locations via Conditional Access as mentioned in the post that you shared.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

securethelogs avatar image
0 Votes"
securethelogs answered ·

@amanpreetsingh-msft , just thinking out loud....

Does Graph and Azure Powershell have different application IDs?
If you lock down based PowerShell (Azure Active Directory Powershell) AppID, it wouldn't affect it's called to Graph as Azure would request it as Graph?

Do they use different ports for the initial login or management?
For instance, I'm assuming connect-AzureAD functions on 443 but does the modules interact with the API on 3443? Could the app differentiate the ports so you could separate out the Azure Portal?

The concern for me isn't so much the functionally of the restrict button. It's more that all these Apps/functions are grouped within a single cloud app. This means you are limited when using conditional access.

An enterprise will use the GUI Azure portal differently, then say Powershell. Because Azure is grouped in management, locking down the portal to trusted networks or location might not be a viable option, especially when working with global instances. Locking down PowerShell however is as we don't want this being opened to the internet as the automation piece behind it is, well, powerful. If our engineers are working on this, they can do it on a company server so that we retain the audit logs.

Another thought is user agent?
Won't PowerShell/VS and the GUI Portal have different User Agents?

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Hi @securethelogs,


Azure portal uses Graph api-version=1.61-internal and PowerShell uses Graph api-version=1.6. There is no difference in Port number, both uses port 443 (HTTPS).


Yes, User Agent will be different in both cases but I don't think there is a way to apply any sort of restrictions on the basis of User Agent string via CA policy.


User-Agent for Azure Portal accessed via Google Chrome: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Edg/83.0.478.37


User-Agent for PowerShell: Swagger-Codegen/1.4.0.0/csharp



Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.