Enable conditional access rules to enforce MFA when users access Powershell
Conditional access provides a great way to enforce additional checks when users access sensitive services in Azure, It is already possible to enforce MFA when users (e.g. with contributor rights) access the Azure portal. However there is no way to explicitly require the same users to Authenticate with MFA when accessing the same privileges in Powershell. Please add Powershell, in the list of cloud applications such that it can be included in an rule that enforces MFA for privileged functions
Today you can set a conditional access policy on “Microsoft Azure Management”, which will apply to any client requesting access tokens to the Azure Management API. This includes the Azure portal (https://portal.azure.com) and Azure PowerShell (e.g. Login-AzureRmAccount).
It does not apply to Azure AD PowerShell. To apply a conditional access policy to Azure AD PowerShell (e.g. Connect-MsolService and Connect-AzureAD, for the MSOnline and AzureAD modules, repsectively), you must target the “All cloud apps”, which means all sign-ins for the targeted users must satisfy the MFA requirement. The main reason for this is that the AzureAD PowerShell module is a thin wrapper around the Azure AD Graph API, which is also used by the vast majority of Azure AD-integrated apps (e.g. Office 365, Azure, etc.) out there.
Thus, even if there was a way to set a policy on “Azure AD Graph API” (there isn’t), the end result be almost the same as setting the same policy on “All cloud apps”.
- To MFA just Azure portal and Azure PowerShell, target “Microsoft Azure Portal”
- To MFA Azure AD PowerShell, target “All cloud apps” (which will apply to all sign-ins)
I’m setting this to “Needs Feedback” for now—let us know what you think of this approach!
/ Philippe Signoret
Mohan Ravindran commented
As of today, as a normal user in Azure AD can connect to Azure AD Powershell module using Connect-AzureAD and run the commands such as get-azureaduser | fl and dump all the users in Azure AD. This facility should be available only for the admins not for normal users. Hence we need a way to invoke conditional access through Azure AD conditional access policy to block someone connecting to this endpoint.
Rafal Przybyl commented
i have te revive this thread since the possibility of standard non administrative user to export entire data set stored in Azure Active Directory by a standard user with simple powershell comandlets is classified as a big risk. Our company of course trusts our own employees, but one stolen standard user password, allows attacker to grab a lot of company internal information like all users, structure and lot of dependencies. It wouldn't be an issue, if usage of Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false could restrict standard user access to other users data via powershell without influencing other applications capabilities. Unfortunately this is not the case, and besides the fact that this is marked as known issue - nothing can be done about this according to product group response.
Workaround suggested to target all cloud apps is also not a real solution to the problem, because i cannot imagine how would i explain to users request to provide second factor each time starting Outlook on company owned client, moreover - actually i think standard users should not be able to access the environment using programing tools.
I could imagine, that there could be exception implemented for CA policies, to allow registered applications by default access azure ad powershell without additional conditions checked, while direct powershell connection would apply defined rules.In my case this would be block access unless you are member of developers or admins group.
Ben Hatton commented
I want to call out a related problem since you highlight use of policy against "Microsoft Azure Management". When I configure this, I also as a side effect cause access to powerapps to be forced to MFA (unknown what other o365 apps might be similarly affected). This is unacceptable burden on end users for what is supposed to be a policy to protect privileged administration access only. Would very much appreciate your viewpoint and suggestion on this issue. Surely Oauth token requests to graph api can't be considered "Azure Management" activity...?
Thanks and regards,
Shane Wright commented
It is worth noting that if your ruleset requires you to block external access to powershell (ie from non-trusted networks) then you break Intune. The All Cloud Apps policy applies to the Intune Company Portal which also cannot be excluded.
For this to be a viable solution Intune Company Portal must be able to be exlcluded from the All Cloud Apps rule.
The issue with use of target all cloud app's, is that we have a fairly complex rule set , related to under which circumstances MFA is required, if we selected "all cloud apps", we would be constantly needing to keep the excluded app's section configured to exclude app's from the conditional access rule. In addition the it means we would end up with overlapping rules for privileged users (e.g. users with contributor rights in powershell / portal) vs non privileged users , this as their MFA requirements differ. What would be best would be a rule that included all endpoints for privileged action i.e. powershell , Azure Portal, Office Admin Portal etc, so we can enforce MFA for all accesses to these services.