Restricting Access Of Azure Service Principals – Using Conditional Access
If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
Display Name : MS-PoC-ServicePrincipal
APP ID : XXXXXXXXXXXX
Tenant ID : YYYYYYYYYYY
Object ID : ZZZZZZZZZZZZZ
Key : oooooooooo
Best possible scenario is to restrict is using RBAC. Agreed.
An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
Can MS look into this please.
I had raised case with MS and they have advised it is as per design and advised to raise it here it as feedback.
We’ve started work on this, focused on policy based on IP range.
any update on this as still cannot deny access for SP use? need to limit SP use to only specific azure and onprem ips.
Any update on this?
Todd Johnson commented
Can we get an update on this effort (roadmap Id)? Any additional details would be helpful.
Specifically we need a way to restrict client credential flow using shared secret.
Service Principals or Azure AD apps do present risk to organizations specifically for O365 or Exchange. This has been widely followed after SolarWinds hack.
Conditional Access policy can help but it's technically hard to implement. You can trust on-premise ip as trusted location but you run into problems when those SaaS apps are running elsewhere. You can't trust the cloud providers ip addresses because attackers are renting spaces in same cloud!
What other alternative rules can we apply to secure service principal logins?
You can restrict it, read here: https://nedinthecloud.com/2020/01/19/enabling-conditional-access-for-azure-active-directory-applications/
But it's complicated, it all depends on how you create Service Principals. Only the correct way gives you the option to add SP as a Cloud App in Conditional Access.
Any update on this topic? This is really needed.
Todd Johnson commented
Will this be added to roadmap for tracking?
great to here that you started working on that. Any outlook on when it will be available?
Hi Azure AD team - It is much needed feature. Can you please let know when you are planning to deliver this feature.
That's great news. Mark @ London Stock exchange
David Cornish commented
IP Addresses / CIDR would be great
Ritesh Mathoera commented
An IP restriction would be sufficient in most cases. And an App restriction would be a good second.
Matthias Nega commented
This feature would be really helpful and would rise the security level considerably!
I'd like to be able to restrict service principals to specific IP/IP Ranges. This could greatly increase the security for mishandled SPN/Keys or add to their overall security.
We need to prevent service principles used by applications from accessing certain SP sites for regulatory purposes. To be able to block that application similar to a user would enable us to get more data into Office 365
Ramesh Kumar commented
This is a much needed feature. At the moment there is an open risk in the scenario of service principal's credentials were mis-handled.