question

L2v2P-7209 avatar image
0 Votes"
L2v2P-7209 asked L2v2P-7209 commented

Key Vault access blocked by conditional access policy; unclear why

We have set up a conditional access policy that blocks access to all cloud apps from desktop clients except for a few exceptions. One of those exceptions is the Microsoft Azure Management cloud app. The policy works well, except that it blocks access to key vaults in Azure from the Microsoft Azure CLI.

Does anyone have a clue as to how to solve this problem? Are key vaults covered by any other cloud app?

Thanks!

azure-key-vaultazure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered L2v2P-7209 commented

According to the guide here, this appears to be expected behavior.

Use the Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App. This can prevent the creation and changes to resources within a high security environment, such as those with Key Vault configuration.

It also shows in the accompanying documentation that the policy "applies to Azure PowerShell, which calls the Azure Resource Manager API. It does not apply to Azure AD PowerShell, which calls Microsoft Graph.". So there may be a way around this using Microsoft Graph. https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

I am reaching out to the product team to see if there is a better recommended approach is here.




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Use the Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App. This can prevent the creation and changes to resources within a high security environment, such as those with Key Vault configuration.

Thanks for your reply and thanks for reaching out to the product team.

The documentation seems to be unclear here, because I would assume the opposite is also true: allowing access to the "Microsoft Azure Management" (which is what we do) would also allow interacting with key vaults. However, this is exactly what is being prevented.



0 Votes 0 ·