Conditional access policy: Allow sign-in from Azure Automation only.

Mountain Pond 1,441 Reputation points
2023-10-23T16:33:46.04+00:00

Hello, there is one account that is assigned an Exchange Online license and which only serves to send reports from scripts that are located in Automation Accounts. The script uses an Automation Credential, which specifies the login and password.

Now I am seeing attempts to guess a password from a third-party IP address. I would like to prevent the user from logging in through the web interface or from non-Azure Automation addresses.

Thank you.

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,272 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,411 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Carlos Solís Salazar 17,976 Reputation points MVP
    2023-10-23T19:01:21.94+00:00

    You can apply conditional access that Block or Allow access By location

    Also, you can apply various conditions to allow or deny access.

    Hope this helps!


  2. Ryan Hill 29,131 Reputation points Microsoft Employee
    2023-11-14T16:10:08.28+00:00

    @Mountain Pond the response above provided by @Carlos Solis Salazar is the most prudent course of action.

    The only other option I can think of is using system-assigned managed identity with your automation account. You can then configure that account to connect to Exchange Online if need be. Since it's a managed account, no one (or thing) will be logging in because the identity is tied to that resource.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.