Restricting Access Of Azure Service Principals – Using Conditional Access

If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
<#
Display Name : MS-PoC-ServicePrincipal
APP ID : XXXXXXXXXXXX
Tenant ID : YYYYYYYYYYY
Object ID : ZZZZZZZZZZZZZ
Key : oooooooooo
MS Link
https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md

>

Best possible scenario is to restrict is using RBAC. Agreed.
An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
Can MS look into this please.
I had raised case with MS and they have advised it is as per design and advised to raise it here it as feedback.

123 votes

Priyabrata Sethi shared this idea · Jun 9, 2019 · Flag idea as inappropriate… · Admin →

started ·

AdminAzure AD Team (Product Owner, Microsoft Azure) responded · Oct 2, 2020

We’ve started work on this, focused on policy based on IP range.

12 comments

An error occurred while saving the comment

KjetilEVRY commented · January 26, 2021 12:55 AM · Flag as inappropriate

You can restrict it, read here: https://nedinthecloud.com/2020/01/19/enabling-conditional-access-for-azure-active-directory-applications/

But it's complicated, it all depends on how you create Service Principals. Only the correct way gives you the option to add SP as a Cloud App in Conditional Access.

Submitting...
Anonymous commented · January 25, 2021 1:55 AM · Flag as inappropriate

Any update on this topic? This is really needed.

Submitting...
Todd Johnson commented · January 11, 2021 8:53 AM · Flag as inappropriate

Will this be added to roadmap for tracking?

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=Azure%20Active%20Directory

Submitting...
Anonymous commented · October 22, 2020 11:18 PM · Flag as inappropriate

great to here that you started working on that. Any outlook on when it will be available?

Submitting...
Anonymous commented · October 14, 2020 9:36 AM · Flag as inappropriate

Hi Azure AD team - It is much needed feature. Can you please let know when you are planning to deliver this feature.

Submitting...
Anonymous commented · October 10, 2020 4:33 AM · Flag as inappropriate

That's great news. Mark @ London Stock exchange

Submitting...
David Cornish commented · September 24, 2020 2:22 AM · Flag as inappropriate

IP Addresses / CIDR would be great

Submitting...
Ritesh Mathoera commented · September 16, 2020 4:07 AM · Flag as inappropriate

An IP restriction would be sufficient in most cases. And an App restriction would be a good second.

Submitting...
Matthias Nega commented · August 16, 2020 1:24 AM · Flag as inappropriate

This feature would be really helpful and would rise the security level considerably!

Submitting...
David commented · July 16, 2020 1:45 PM · Flag as inappropriate

I'd like to be able to restrict service principals to specific IP/IP Ranges. This could greatly increase the security for mishandled SPN/Keys or add to their overall security.

Submitting...
Anonymous commented · July 14, 2020 3:40 AM · Flag as inappropriate

We need to prevent service principles used by applications from accessing certain SP sites for regulatory purposes. To be able to block that application similar to a user would enable us to get more data into Office 365

Submitting...
Ramesh Kumar commented · June 9, 2020 1:07 PM · Flag as inappropriate

This is a much needed feature. At the moment there is an open risk in the scenario of service principal's credentials were mis-handled.

Submitting...