Oct 15 2021
- last edited on
Jan 14 2022
I can't find any way to block access to Azure AD PowerShell with Conditional Access policy. For normal users without any Azure AD role, it's possible to read other user information in Azure AD PowerShell. There is a Cloud app Microsoft Azure Management which can be used for Conditional Access policy, but is not including Azure AD PowerShell.
So I try to enable at least MFA for the use of Azure AD PowerShell to downscale the security risks (compromised accounts and reconnaissance) but, I have the same problems. It seems impossible to enforce MFA and PowerShell without the use of global Azure AD setting “Enable Security Defaults” enabled. When enabled (test tenant) it's enforcing MFA when trying to connect to Azure AD PowerShell. However, the use of Conditional Access policies is more desirable for better control and therefore the security defaults are not applicable.
I have also find this:
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
But this results in problems in Teams and Planner: users will not able to add new members.
Nov 16 2021 01:20 PMSolution
I've had the same trouble you've had. However, there is a way to block this via conditional access policies. As luck would have it, we have a report only policy that blocks most things for testing purposes. Looking at Azure logs I could see that if we had enabled that policy we would have triggered azure active directory powershell and it would have blocked it! So what I did was I created a policy that included all cloud apps and then just excluded the ones we use in our other policies (which were a few) and boom... MFA prompted. It seems that the azure active directory is in the enterprise apps (as you can do searches and see logs on activity) but its "hidden". There might be a way to powershell it since i can find an application ID, but thats down the line.
Hope that helps. Godspeed
Nov 17 2021 12:39 AM
Nov 18 2021 04:38 AM
Dec 29 2021 03:54 AM
@Ottovw You can block Azure AD Powershell via Conditional Access policy, but not in GUI. You need to create policy via Powershell and API.
it is working for me: