Blocking PowerShell for EDU Tenants

Overview

By default in M365, any member user in Azure AD can use common tools to connect to the tenant and view/download user details and directory information. This article explains how to block several common tools that might be used for this purpose.

Blocking PowerShell

To block the PowerShell App ID, follow the instructions below.

Block PowerShell for everyone except me

This script will block PowerShell for everyone in the tenant, except the person running the script. Use with caution to ensure you dont block users (e.g. IT admins) who will need access.

  1. Download the PowerShell script located here and save in c:\temp

  2. Launch PowerShell and run the cmd below:

    Set-Location c:\temp

  3. Type the cmd below and press enter

    .\Block-PowerShell_for_everyone_except_me.ps1

  4. If anyone attempting to authenticate using the Azure AD v2 PowerShell module, they will receive an error similar to what’s shown below:

Powershell error for Azure AD V2 authentication.

Block PowerShell for everyone except a list of admins

This script will block PowerShell for everyone in the tenant, except for a list of users specified in the CSV file. Double check your list is correct.

  1. Download the PowerShell script located here and the sample CSV file located here, and save both in c:\temp

  2. Open the CSV and update the UserPrincipalName list with every admin that requires PowerShell access. Once updated, save and close the CSV file.

    CSV file to update the UserPrincipal name.

  3. Launch PowerShell and run the cmd below:

    Set-Location c:\temp

  4. Type the cmd below and press enter.

    .\Block-PowerShell_for_everyone_except_a_list_of_admins.ps1

Block MS Graph PowerShell for everyone except me

This script will block the MS Graph PowerShell module for everyone in the tenant, except the person running the script. Use with caution.

  1. Download the PowerShell script located here and save in c:\temp

  2. Launch PowerShell and run the cmd below:

    Set-Location c:\temp

  3. Type the cmd below and press enter

    .\Block-PowerShell_for_everyone_except_me.ps1

  4. If anyone attempting to authenticate using the MS Graph PowerShell module, they will receive an error similar to what’s shown below:

    Powershell error when trying to authenticate using MS Graph.

Block MS Graph PowerShell for Everyone except a list of users

This script will block MS Graph PowerShell module for everyone in the tenant, except for a list of users specified in the CSV file. Use with caution.

  1. Download the PowerShell script located here and the sample CSV file located here, and save both in c:\temp

  2. Open the CSV and update the UserPrincipalName list with every admin that requires PowerShell access. Once updated, save and close the CSV file.

    CSV file and update UserPrincipalName.

  3. Launch PowerShell and run the cmd below:

    Set-Location c:\temp

  4. Type the cmd below and press enter

    .\Block-MS_Graph_module_for_everyone_except_a_list_of_admins.ps1

Blocking MS Graph Explorer

To block MS Graph Explorer for targeted users, follow the instructions below to setup Conditional Access Policy.

Conditional Access in Azure AD requires Azure AD P1.

  1. Go to Conditional Access in the Azure AD Portal.

  2. Click New Policy.

  3. Provide a name for the policy like Block Graph Explorer.

  4. Select the users to apply the policy against, and admins to exclude from the policy.

    Select users to apply policy against.]

    Select admins to exclude from policy.

  5. Select the Graph Explorer apps.

    Select the Graph Explorer apps.

  6. Select the Block Access Option and Switch the policy to On.

    Select Block Access option and switch policy to on.

  7. Click Create.

Blocking the MSOL Module

To block the MSOL PowerShell Module for end users, follow the instructions below.

Note

If not done already, you will need to consent to delegated Directory.AccessAsUser.All before making this PATCH call.

  1. Log into MS Graph Explorer.

  2. Click the sign-in button on the left-hand navigation pane.

    Click sign-in button.

  3. In the Query builder, select PATCH from the first dropdown menu, and select beta second dropdown menu.

    select PATCH.

  4. In the bar with the URL, enter the string listed below

    https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy

    enter the string listed below.

  5. In the Request Body text block, enter the code below and click Run query.

    {"blockMsolPowerShell": true}

    enter the code below and click run query.

  6. Once “blockMsolPowerShell” is set to true, users will get this error if they try to call any MSOL cmdlets:

    Error when user tries to call MSOL cmdlets.

Blocking Exchange Online PowerShell

To block the access to PowerShell in Exchange Online, follow the instructions at the link below.

https://docs.microsoft.com/powershell/exchange/disable-access-to-exchange-online-powershell?view=exchange-ps

Control access to Intune PowerShell

By default, once a Global Administrator consents for the Microsoft Intune PowerShell Azure AD Application for access to a tenant, all users are granted access. Users who are granted access to the Microsoft Intune PowerShell application are still limited by their permissions from Azure AD Roles or Intune RBAC, but with access to PowerShell could perform bulk exports of data. You can easily change the App Registration so that only specific users can use Microsoft Intune PowerShell.

Limit access

To limit user access, you can change the application to require user assignment. To do this:

  1. Open the Azure Active Directory Admin Console.

  2. Click on Enterprise Applications.

  3. Find and click on Microsoft Intune PowerShell in the list.

  4. Select Properties.

  5. Change User assignment required? to Yes.

Change User assignment required to Yes.

  1. Click Save.

Add or remove users

To add or remove users of the Microsoft Intune PowerShell application:

  1. Open the Azure Active Directory Admin Console.

  2. Click on Enterprise Applications.

  3. Find and click on Microsoft Intune PowerShell in the list.

  4. Select Users and groups.

  5. Modify access as required.

Add a user.