Protecting Service Accounts with Conditional Access

Leo Johnson 151 Reputation points
2021-06-29T09:50:51.857+00:00

Hi y'all,

At the moment we are trying to enhance the security of our service accounts with Conditional Access.

We only allow the service accounts be used from trusted locations.

All our accounts work fine, except the Azure Automations and Dynamics service accounts.

Why does this not work and what can we do to better protect these accounts?

Leo Johnson

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,305 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Jarvis Sun-MSFT 10,091 Reputation points Microsoft Vendor
    2021-06-30T08:45:47.77+00:00

    @Leo Johnson Thanks for posting in our Q&A.
    For our question, I did some research and found some explanation as below.

    Conditional Access policies apply to all user accounts. This includes user accounts that are used as service accounts. Often, a service account that runs unattended can't satisfy the requirements of a Conditional Access policy. For example, multi-factor authentication might be required.
    If your organization has these accounts in use in scripts or code, consider replacing them with managed identities. As a temporary workaround, you can exclude these specific accounts from the baseline policy.
    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/faqs#does-a-conditional-access-policy-apply-to-service-accounts

    Hope it can help.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.