Protecting Service Accounts with Conditional Access

Leo Johnson 151 Reputation points

Hi y'all,

At the moment we are trying to enhance the security of our service accounts with Conditional Access.

We only allow the service accounts be used from trusted locations.

All our accounts work fine, except the Azure Automations and Dynamics service accounts.

Why does this not work and what can we do to better protect these accounts?

Leo Johnson

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,681 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
2,407 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Jarvis Sun-MSFT 2,456 Reputation points Microsoft Vendor

    @Leo Johnson Thanks for posting in our Q&A.
    For our question, I did some research and found some explanation as below.

    Conditional Access policies apply to all user accounts. This includes user accounts that are used as service accounts. Often, a service account that runs unattended can't satisfy the requirements of a Conditional Access policy. For example, multi-factor authentication might be required.
    If your organization has these accounts in use in scripts or code, consider replacing them with managed identities. As a temporary workaround, you can exclude these specific accounts from the baseline policy.

    Hope it can help.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.