The Azure AD portal strikes back

The Azure AD portal strikes back

Reconnaissance is the first phase in hacking. It’s a systematic approach to gather information about your target. It’s up to you to prevent access to the Azure AD administration portal.

It’s very easy to implement within the GUI. Search for the Azure AD/user settings, you’ll find the option to restrict access.

  Alternatively, you could add this to your tenant enrollment scripts:

login-azurermaccount

$context = Get-AzureRmContext
$tenantId = $context.Tenant.Id
$refreshToken = @($context.TokenCache.ReadItems() | where {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'

$header = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'Content-Type' = 'application/json'
    'X-Requested-With'= 'XMLHttpRequest'
    'x-ms-client-request-id'= [guid]::NewGuid()
    'x-ms-correlation-id' = [guid]::NewGuid()
    }

#Restrict Admin Portal Users
$url = "https://main.iam.ad.ext.azure.com/api/Directories/Properties"
$contentpart1 = '{"restrictNonAdminUsers":true}'
$content = $contentpart1
Invoke-RestMethod –Uri $url –Headers $header –Method PUT -Body $content -ErrorAction Stop

When a naughty user wants to access the Azure ad portal, the setting you defined kicks in.

Conclusion

It’s one the most important (and forgotten) setting in the Azure AD. Prevent the first hacking phase with just one simple setting. In my opinion, no standard user needs to have access to the Azure AD portal.

One thought on “The Azure AD portal strikes back

  1. Pingback: The return of the Azure ad Portal - Call4Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *

1  +  1  =