Blocking PowerShell for EDU Tenants

Overview

By default in Microsoft 365, any member user in Microsoft Entra ID can use common tools to connect to the tenant and view/download user details and directory information. This article explains how to block several common tools that might be used for this purpose.

Blocking PowerShell

To block the PowerShell App ID, follow the instructions below.

Block PowerShell for everyone except me

This script will block PowerShell for everyone in the tenant, except the person running the script. Use with caution to ensure you don't block users (for example, IT admins) who will need access.

1. Download the PowerShell script located here and save in c:\temp

2. Launch PowerShell and run the cmd below:

   Set-Location c:\temp

3. Type the cmd below and press enter

   .\Block-PowerShell_for_everyone_except_me.ps1

4. If anyone attempting to authenticate using the Azure AD v2 PowerShell module, they'll receive an error similar to what’s shown below:

Block PowerShell for everyone except a list of admins

This script will block PowerShell for everyone in the tenant, except for a list of users specified in the CSV file. Double check your list is correct.

1. Download the PowerShell script located here and the sample CSV file located here, and save both in c:\temp

2. Open the CSV and update the UserPrincipalName list with every admin that requires PowerShell access. Once updated, save and close the CSV file.

   

3. Launch PowerShell and run the cmd below:

   Set-Location c:\temp

4. Type the cmd below and press enter.

   .\Block-PowerShell_for_everyone_except_a_list_of_admins.ps1

Block MS Graph PowerShell for everyone except me

This script will block the MS Graph PowerShell module for everyone in the tenant, except the person running the script. Use with caution.

1. Download the PowerShell script located here and save in c:\temp

2. Launch PowerShell and run the cmd below:

   Set-Location c:\temp

3. Type the cmd below and press enter

   .\Block-PowerShell_for_everyone_except_me.ps1

4. If anyone attempting to authenticate using the MS Graph PowerShell module, they'll receive an error similar to what’s shown below:

   

Block MS Graph PowerShell for Everyone except a list of users

This script will block MS Graph PowerShell module for everyone in the tenant, except for a list of users specified in the CSV file. Use with caution.

1. Download the PowerShell script located here and the sample CSV file located here, and save both in c:\temp

2. Open the CSV and update the UserPrincipalName list with every admin that requires PowerShell access. Once updated, save and close the CSV file.

   

3. Launch PowerShell and run the cmd below:

   Set-Location c:\temp

4. Type the cmd below and press enter

   .\Block-MS_Graph_module_for_everyone_except_a_list_of_admins.ps1

Blocking MS Graph Explorer

To block MS Graph Explorer for targeted users, follow the instructions below to set up Conditional Access Policy.

Conditional Access in Microsoft Entra ID requires Microsoft Entra ID P1.

1. Go to Conditional Access in the Microsoft Entra admin center.

2. Select New Policy.

3. Provide a name for the policy like Block Graph Explorer.

4. Select the users to apply the policy against, and admins to exclude from the policy.

   ]

   

5. Select the Graph Explorer apps.

   

6. Select the Block Access Option and Switch the policy to On.

   

7. Select Create.

Blocking the MSOL Module

To block the MSOL PowerShell Module for end users, follow the instructions below.

Note

If not done already, you will need to consent to delegated Directory.AccessAsUser.All before making this PATCH call.

1. Log into MS Graph Explorer.

2. Select the sign-in button on the left-hand navigation pane.

   

3. In the Query builder, select PATCH from the first dropdown menu, and select beta second dropdown menu.

   

4. In the bar with the URL, enter the string listed below

   https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy

   

5. In the Request Body text block, enter the code below and select Run query.

   {"blockMsolPowerShell": true}

   

6. Once “blockMsolPowerShell” is set to true, users will get this error if they try to call any MSOL cmdlets:

   

Blocking Exchange Online PowerShell

To block the access to PowerShell in Exchange Online, follow the instructions at the link below.

Enable or disable access to Exchange Online PowerShell

Control access to Intune PowerShell

By default, once a Global Administrator consents for the Microsoft Intune PowerShell Microsoft Entra Application for access to a tenant, all users are granted access. Users who are granted access to the Microsoft Intune PowerShell application are still limited by their permissions from Microsoft Entra roles or Intune role-based access control, but with access to PowerShell could perform bulk exports of data. You can easily change the App Registration so that only specific users can use Microsoft Intune PowerShell.

Limit access

To limit user access, you can change the application to require user assignment. To do this:

1. Open the Microsoft Entra Admin Console.

2. Select on Enterprise Applications.

3. Find and select on Microsoft Intune PowerShell in the list.

4. Select Properties.

5. Change User assignment required? to Yes.

6. Select Save.

Add or remove users

To add or remove users of the Microsoft Intune PowerShell application:

1. Open the Microsoft Entra Admin Console.

2. Select on Enterprise Applications.

3. Find and select on Microsoft Intune PowerShell in the list.

4. Select Users and groups.

5. Modify access as required.