Blocking PowerShell for EDU Tenants
Overview
By default in Microsoft 365, any member user in Microsoft Entra ID can use common tools to connect to the tenant and view/download user details and directory information. This article explains how to block several common tools that might be used for this purpose.
Blocking PowerShell
To block the PowerShell App ID, follow the instructions below.
Block PowerShell for everyone except me
This script will block PowerShell for everyone in the tenant, except the person running the script. Use with caution to ensure you don't block users (for example, IT admins) who will need access.
Download the PowerShell script located here and save in c:\temp
Launch PowerShell and run the cmd below:
Set-Location c:\temp
Type the cmd below and press enter
.\Block-PowerShell_for_everyone_except_me.ps1
If anyone attempting to authenticate using the Azure AD v2 PowerShell module, they'll receive an error similar to what’s shown below:
Block PowerShell for everyone except a list of admins
This script will block PowerShell for everyone in the tenant, except for a list of users specified in the CSV file. Double check your list is correct.
Download the PowerShell script located here and the sample CSV file located here, and save both in c:\temp
Open the CSV and update the UserPrincipalName list with every admin that requires PowerShell access. Once updated, save and close the CSV file.
Launch PowerShell and run the cmd below:
Set-Location c:\temp
Type the cmd below and press enter.
.\Block-PowerShell_for_everyone_except_a_list_of_admins.ps1
Block MS Graph PowerShell for everyone except me
This script will block the MS Graph PowerShell module for everyone in the tenant, except the person running the script. Use with caution.
Download the PowerShell script located here and save in c:\temp
Launch PowerShell and run the cmd below:
Set-Location c:\temp
Type the cmd below and press enter
.\Block-PowerShell_for_everyone_except_me.ps1
If anyone attempting to authenticate using the MS Graph PowerShell module, they'll receive an error similar to what’s shown below:
Block MS Graph PowerShell for Everyone except a list of users
This script will block MS Graph PowerShell module for everyone in the tenant, except for a list of users specified in the CSV file. Use with caution.
Download the PowerShell script located here and the sample CSV file located here, and save both in c:\temp
Open the CSV and update the UserPrincipalName list with every admin that requires PowerShell access. Once updated, save and close the CSV file.
Launch PowerShell and run the cmd below:
Set-Location c:\temp
Type the cmd below and press enter
.\Block-MS_Graph_module_for_everyone_except_a_list_of_admins.ps1
Blocking MS Graph Explorer
To block MS Graph Explorer for targeted users, follow the instructions below to set up Conditional Access Policy.
Conditional Access in Microsoft Entra ID requires Microsoft Entra ID P1.
Go to Conditional Access in the Microsoft Entra admin center.
Select New Policy.
Provide a name for the policy like Block Graph Explorer.
Select the users to apply the policy against, and admins to exclude from the policy.
]
Select the Graph Explorer apps.
Select the Block Access Option and Switch the policy to On.
Select Create.
Blocking the MSOL Module
To block the MSOL PowerShell Module for end users, follow the instructions below.
Note
If not done already, you will need to consent to delegated Directory.AccessAsUser.All before making this PATCH call.
Log into MS Graph Explorer.
Select the sign-in button on the left-hand navigation pane.
In the Query builder, select PATCH from the first dropdown menu, and select beta second dropdown menu.
In the bar with the URL, enter the string listed below
https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
In the Request Body text block, enter the code below and select Run query.
{"blockMsolPowerShell": true}
Once “blockMsolPowerShell” is set to true, users will get this error if they try to call any MSOL cmdlets:
Blocking Exchange Online PowerShell
To block the access to PowerShell in Exchange Online, follow the instructions at the link below.
Enable or disable access to Exchange Online PowerShell
Control access to Intune PowerShell
By default, once a Global Administrator consents for the Microsoft Intune PowerShell Microsoft Entra Application for access to a tenant, all users are granted access. Users who are granted access to the Microsoft Intune PowerShell application are still limited by their permissions from Microsoft Entra roles or Intune role-based access control, but with access to PowerShell could perform bulk exports of data. You can easily change the App Registration so that only specific users can use Microsoft Intune PowerShell.
Limit access
To limit user access, you can change the application to require user assignment. To do this:
Open the Microsoft Entra Admin Console.
Select on Enterprise Applications.
Find and select on Microsoft Intune PowerShell in the list.
Select Properties.
Change User assignment required? to Yes.
- Select Save.
Add or remove users
To add or remove users of the Microsoft Intune PowerShell application:
Open the Microsoft Entra Admin Console.
Select on Enterprise Applications.
Find and select on Microsoft Intune PowerShell in the list.
Select Users and groups.
Modify access as required.