App Registrations and Conditional Access

shockoQA 126 Reputation points

This might be a dumb question but why do conditional access policies not apply to entities access AzureAD via an app registration? We are building some automation script to run in our DataCentre as per [this][1] guide. Security teams have been asking how to lock downs its access so that AzureAD only accepts connection to it form our DataCentre. If this was an AzureAD user we could do this via conditional access but it's not.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,733 questions
0 comments No comments
{count} votes

Accepted answer
  1. soumi-MSFT 11,776 Reputation points Microsoft Employee

    Hello @shockoQA , thank you for reaching out. I checked the link shared by you and the PS cmdlets used there are basically used to create a service principal in AAD. The steps mentioned in that article doesn't include any authentication step. The authentication step is required as a Conditional Access Policy gets triggered only after the Authentication happens successfully for the user. But if the authentication is happening in the application's context or trying to login to AAD using Service Principals, CA policy won't work there. They are normally used by back-end services allowing programmatic access to applications but are also used to sign in to systems for administrative purposes.

    What you can do is block access to your Azure Portal from the Internet and just keep the access open for your Datacenter, so that only your data center can access the Azure Portal. But there are no CA Policies available to block PowerShell logins or Logins using Service Principals.

    To set up that block you need to create Named Locations in CA policies and add the specific Datacenter IP or IP Range in /32 CIDR format.


    • Navigate to Azure Portal > Azure Active Directory > Security > Conditional Access > Named locations > +New Location > Type a name and add IP address that you want to allow .
    • Navigate to Azure Portal > Azure Active Directory > Security > Conditional Access > Policies > +New Policy > Configure below settings:
    • Users and Groups : Select required users.
    • Cloud apps or actions : Select apps > Microsoft Azure Management.
    • Conditions : Locations > Include > Any location. Exclude > select the location created in first step,.
    • Grant : Block access
    • Enable policy > On > Click on Create button.

    This will block access to Azure Portal from Any location, except your custom location. More details on Named Locations can be found here:

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. shockoQA 126 Reputation points

    Thanks for the details answer! much appreciated.

    1 person found this answer helpful.
    0 comments No comments