question

LokeshKumar avatar image
0 Votes"
LokeshKumar asked LokeshKumar commented

Enforce MFA for Azure PowerShell modules

Hello Team,

Is there any workaround to enforce MFA for Azure PowerShell modules like Connect-AzureAD. As there's no way to scope PowerShell in the CA policy to enforce controls.

But this works only if the policy is scoped to "All cloud apps", which will cause others apps and users additional burden & undesirable effects.

So is there any way we can overcome this scenario?

azure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered LokeshKumar commented

Hi @LokeshKumar · Thank you for reaching out.

Conditional Access protects cloud apps (resources), which means you can specify which resources needs to be protected via CA policy but you cannot apply conditional access on client applications. In regards to client apps, you can configure CA Policies to trigger MFA when the resources are being accessed via browser or native app, but you cannot specify exact client application e.g. PowerShell.

That means, you cannot tweak conditional access policy to trigger MFA only when using Azure PowerShell modules.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Amanpreet
Thanks for the response.

Isn't there any way to cover this use case. The problem right now is, any users inside tenant can use Connect-AzureAD and get details of the tenant. So I'm trying to implement controls like MFA / VPN, so that we can reduce any attack surface.

0 Votes 0 ·