Restricting Access Of Azure Service Principals – Using Conditional Access
If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
Display Name : MS-PoC-ServicePrincipal
APP ID : XXXXXXXXXXXX
Tenant ID : YYYYYYYYYYY
Object ID : ZZZZZZZZZZZZZ
Key : oooooooooo
Best possible scenario is to restrict is using RBAC. Agreed.
An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
Can MS look into this please.
I had raised case with MS and they have advised it is as per design and advised to raise it here it as feedback.
We’ve started work on this, focused on policy based on IP range.
You can restrict it, read here: https://nedinthecloud.com/2020/01/19/enabling-conditional-access-for-azure-active-directory-applications/
But it's complicated, it all depends on how you create Service Principals. Only the correct way gives you the option to add SP as a Cloud App in Conditional Access.
Any update on this topic? This is really needed.
Todd Johnson commented
Will this be added to roadmap for tracking?
great to here that you started working on that. Any outlook on when it will be available?
Hi Azure AD team - It is much needed feature. Can you please let know when you are planning to deliver this feature.
That's great news. Mark @ London Stock exchange
David Cornish commented
IP Addresses / CIDR would be great
Ritesh Mathoera commented
An IP restriction would be sufficient in most cases. And an App restriction would be a good second.
Matthias Nega commented
This feature would be really helpful and would rise the security level considerably!
I'd like to be able to restrict service principals to specific IP/IP Ranges. This could greatly increase the security for mishandled SPN/Keys or add to their overall security.
We need to prevent service principles used by applications from accessing certain SP sites for regulatory purposes. To be able to block that application similar to a user would enable us to get more data into Office 365
Ramesh Kumar commented
This is a much needed feature. At the moment there is an open risk in the scenario of service principal's credentials were mis-handled.