Share via

Applying conditional access with enterprise application accounts in Azure

MrFlinstone 686 Reputation points
2024-12-09T23:50:55.4166667+00:00

I am looking to create an enterprise account which will be used to run scripts, as the account will have highly privileged roles assigned to it what level of conditional access policies can I add to the enterprise application such that its not abused or if it gets into the hands of an hacker, they cannot do much with it.

For example, can i restrict ogin from certain IP ranges ? This way the account can only be used from the inside ? Is there a way to also detect unusual patterns from the login, I know we can setup alerting for the object ID, but this will bring up too many alerts as the account goes about running scripts in Azure, but I would like to alert on unusual patterns.

Thanks in advance

Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Intune Other
0 comments
Accepted answer
  1. Marcin Policht 49,640 Reputation points MVP Volunteer Moderator
    2024-12-10T00:07:56.3633333+00:00

    You might want to consider the following:

    1. Restrict Login to Specific IP Ranges

    • Configure a Conditional Access policy to restrict the account’s login access to specific, trusted IP ranges (e.g., on-premises networks or a secure VPN).
      • Ensure the IP ranges are tightly controlled to reduce exposure.
      • Avoid allowing access from public IPs or unknown locations.

    2. Block Interactive Logins

    • If the account is exclusively used for scripts and automation:
      • Use a Conditional Access policy to block interactive logins (client apps set to Browser and Modern authentication clients).

    3. Enable Risk-Based Alerts

    • Azure AD Identity Protection:
      • Enable alerts for suspicious activities like login attempts from unfamiliar locations, devices, or impossible travel scenarios.
      • Use the Risky sign-ins and Identity Protection risk detection to monitor real-time activity and respond to flagged anomalies.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Abiola Akinbade 29,405 Reputation points Volunteer Moderator
    2024-12-10T00:12:30.3433333+00:00

    Hello MrFlinstone,

    Thanks for your question.

    I would recommend using conditional acces for this.

    You can Implement Network Location Conditions that only allow access from:

    • Corporate network IP ranges
    • Specific Azure Virtual Network (VNet) subnets
    • Approved VPN connections

    Create the policy, assign to your EA account, Go to Security → Conditional Access → Named Locations → Add your trusted IP ranges.

    You can further set the grant access as well

    For the anomalies you can setup user/sign-in risk. See: https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.