Azure Management: Breakout PowerShell

securethelogs 1 Reputation point
2020-03-11T12:50:02.22+00:00

Hey guys,

Is there any option or future solution to break out Powershell in Microsoft Azure Management.

At the minute, that is the only app that you can apply conditional access too however the apps inside are used differently.

With the admin restriction excluding PowerShell and VS, here is why I’m concerned:

https://securethelogs.com/2020/03/11/bypass-azuread-administration-portal-restriction/

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,602 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,506 Reputation points
    2020-06-12T14:19:29.527+00:00

    Hi @securethelogs,

    Azure portal uses Graph api-version=1.61-internal and PowerShell uses Graph api-version=1.6. There is no difference in Port number, both uses port 443 (HTTPS).

    Yes, User Agent will be different in both cases but I don't think there is a way to apply any sort of restrictions on the basis of User Agent string via CA policy.

    • User-Agent for Azure Portal accessed via Google Chrome: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Edg/83.0.478.37
    • User-Agent for PowerShell: Swagger-Codegen/1.4.0.0/csharp

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

  2. AmanpreetSingh-MSFT 56,506 Reputation points
    2020-03-12T07:56:11.86+00:00

    @securethelogs By default all users have permission to read directory objects such as users, groups, applications, service principals in there tenant via graph api. PowerShell and VS, make direct graph calls to Azure AD to fetch information, which is why we cannot use the same method as of Azure Portal to restrict access to Azure AD. Restricting read permission via graph api would break the core functionality. So the best we can do is to restrict access to trusted locations via Conditional Access as mentioned in the post that you shared.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    0 comments No comments

  3. securethelogs 1 Reputation point
    2020-03-12T10:08:33.327+00:00

    @AmanpreetSingh-MSFT , just thinking out loud....

    Does Graph and Azure Powershell have different application IDs?
    If you lock down based PowerShell (Azure Active Directory Powershell) AppID, it wouldn't affect it's called to Graph as Azure would request it as Graph?

    Do they use different ports for the initial login or management?
    For instance, I'm assuming connect-AzureAD functions on 443 but does the modules interact with the API on 3443? Could the app differentiate the ports so you could separate out the Azure Portal?

    The concern for me isn't so much the functionally of the restrict button. It's more that all these Apps/functions are grouped within a single cloud app. This means you are limited when using conditional access.

    An enterprise will use the GUI Azure portal differently, then say Powershell. Because Azure is grouped in management, locking down the portal to trusted networks or location might not be a viable option, especially when working with global instances. Locking down PowerShell however is as we don't want this being opened to the internet as the automation piece behind it is, well, powerful. If our engineers are working on this, they can do it on a company server so that we retain the audit logs.

    Another thought is user agent?
    Won't PowerShell/VS and the GUI Portal have different User Agents?

    0 comments No comments