Does App-only authentication can be controlled/restricted by Conditional access policy?

test A 86 Reputation points
2023-03-31T04:30:06.8533333+00:00

Hi team,

I would like to know whether app only authentication can be bound by conditional access policy or not, as there is limited information available on this. i need your guidance on this ,thanks in advance.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,822 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,187 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 94,911 Reputation points MVP
    2023-03-31T07:22:42.6866667+00:00

    It can, via Conditional access policies for Workload identities: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity

    You can either create a "static" policy scoped to specific service principal(s) and location(s), or a risk-based one. Block is the usual action to choose, but you can also create an "allow" policy and restrict it to your known IPs/ranges only.

  2. Akshay-MSFT 16,026 Reputation points Microsoft Employee
    2023-03-31T10:52:38.58+00:00

    @test A

    Kindly follow the given process:

    • Get a workload identity license added in your tenant.
    • Once added navigate to Conditional access blade and under Assignments select workload identities and choose the service principal of your AAD registered app: User's image
    • Under Cloud apps or actions select all cloud apps: User's image
    • Select the conditions under which your action evaluating access would be allowed or blocked. Currently only "Service principal Risk" and "Locations" are available for selection.
    • User's image
    • Under Grant, select "Block"

    Conclusion: Any access done when this service principal (Registered App) is evaluated as risky or out side trusted Location will be blocked

    Please do let me know if you have any further queries.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.

    0 comments