Restricting Access Of Azure Service Principals – Using Conditional Access
If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
Display Name : MS-PoC-ServicePrincipal
APP ID : XXXXXXXXXXXX
Tenant ID : YYYYYYYYYYY
Object ID : ZZZZZZZZZZZZZ
Key : oooooooooo
Best possible scenario is to restrict is using RBAC. Agreed.
An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
Can MS look into this please.
I had raised case with MS and they have advised it is as per design and advised to raise it here it as feedback.
I'd like to be able to restrict service principals to specific IP/IP Ranges. This could greatly increase the security for mishandled SPN/Keys or add to their overall security.
We need to prevent service principles used by applications from accessing certain SP sites for regulatory purposes. To be able to block that application similar to a user would enable us to get more data into Office 365
Ramesh Kumar commented
This is a much needed feature. At the moment there is an open risk in the scenario of service principal's credentials were mis-handled.