The Conditional Access Experiment

The Conditional Access Experiment

Some time ago I was inspired to check something out.  Of course, almost all schools are working with Teams nowadays and so is my son’s school.

After installing teams and logging in with my son’s office365 account, I was asked the famous question if I’d wanted to “allow my organization to manage my device”.

Okay… So the school allows anyone to register a device to their tenant? I guess the school has a lot of devices to manage. If it was up to me, I would configure the MDM user scope so only teachers could enroll their device to MDM but that’s not what this blog is about.

I could not help my curiosity, so I tried to open portal.azure.com with his account to check out how many devices are registered.  It’s good they have disabled access to the Azure AD Portal but luckily there is always PowerShell.  Within a few minutes, I had a big CSV file with all devices and the persons who registered it.

Of course, they could’ve blocked access to read other users with this PowerShell command:

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

I wrote about the pros and cons of this command in this blog a while ago.

The return of the Azure ad Portal – Call4Cloud

But I find it hard to believe there is no option to block “all” PowerShell with Conditional Access.  When you have implemented a conditional access rule targeted to the Azure management app, some PowerShell connections will be blocked like login-azurermaccount, but what about connect-azuread and connect-msolservice?

What does Microsoft has to say about the Azure Management App?

*Source: https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

I configured a conditional access rule to test it out. As stated, it simply doesn’t block: connect-azure ad or connect-msolservice.

Of course, when targeting all cloud apps your PowerShell sessions will also be blocked. In my opinion, targeting all Cloud Apps is a bad idea. Like my fellow security enthusiasts Workplace Ninja’s write in this blog below.

But targeting all cloud apps and trying to login with all kind of PowerShell modules showed me something useful in the sign in log.

00000002-0000-0000-c000-000000000000 –> AAD Graph API

797f4846-ba00-4fd7-ba43-dac1f8f63013 –> Azure Management

00000003-0000-0000-c000-000000000000 –> Microsoft Graph

So, Microsoft has the possibility to block them, just not with the Conditional Access GUI. There are no options to select Azure Active Directory Powershell. It’s a good thing I am not into GUI’s a lot…

UPDATE 20-11-2020 ( I guess Microsoft is working this?)

Check out this script (marked in red):

login-azurermaccount

$context = Get-AzureRmContext
$tenantId = $context.Tenant.Id
$refreshToken = @($context.TokenCache.ReadItems() | where {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'

$header = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'Content-Type' = 'application/json'
    'X-Requested-With'= 'XMLHttpRequest'
    'x-ms-client-request-id'= [guid]::NewGuid()
    'x-ms-correlation-id' = [guid]::NewGuid()
    }

$url = "https://main.iam.ad.ext.azure.com/api/Policies/"

$content = '{"users":{"allUsers":1,"included":{"groupIds":[],"userIds":[]},"excluded":{"groupIds":[],"userIds":["7d0205f4-aeff-41f2-ac94-0f1d9afc078d"]}},"usersV2":{"allUsers":1,"included":{"allGuestUsers":false,"roles":false,"usersGroups":false,"roleIds":[],"groupIds":[],"userIds":[]},"excluded":{"allGuestUsers":false,"roles":false,"usersGroups":true,"roleIds":[],"groupIds":[],"userIds":["7d0205f4-aeff-41f2-ac94-0f1d9afc078d"]}},"servicePrincipals":{"allServicePrincipals":2,"included":{"ids":["00000003-0000-0000-c000-000000000000","00000002-0000-0000-c000-000000000000","797f4846-ba00-4fd7-ba43-dac1f8f63013"]},"excluded":{"ids":[]},"includeAllMicrosoftApps":false,"excludeAllMicrosoftApps":false,"userActions":null},"servicePrincipalsV2":{"allServicePrincipals":2,"included":{"ids":["00000002-0000-0000-c000-000000000000","00000003-0000-0000-c000-000000000000"]},"excluded":{"ids":[]},"includedAppContext":null,"shouldIncludeAppContext":false},"controls":{"controlsOr":true,"blockAccess":false,"challengeWithMfa":false,"compliantDevice":true,"domainJoinedDevice":true,"approvedClientApp":false,"claimProviderControlIds":[],"requireCompliantApp":false,"requirePasswordChange":false,"requiredFederatedAuthMethod":0},"sessionControls":{"appEnforced":false,"cas":false,"cloudAppSecuritySessionControlType":0,"signInFrequencyTimeSpan":{"type":0,"value":0},"signInFrequency":0,"persistentBrowserSessionMode":0},"conditions":{"minUserRisk":{"lowRisk":false,"mediumRisk":false,"highRisk":false,"applyCondition":false},"minSigninRisk":{"noRisk":false,"lowRisk":false,"mediumRisk":false,"highRisk":false,"applyCondition":false},"devicePlatforms":{"all":2,"included":{"android":false,"ios":false,"windowsPhone":false,"windows":true,"macOs":false},"excluded":{"android":false,"ios":false,"windowsPhone":false,"windows":false,"macOs":false},"applyCondition":true},"locations":{"includeLocationType":0,"excludeAllTrusted":false,"applyCondition":false},"namedNetworks":{"includeLocationType":0,"excludeLocationType":2,"includeTrustedIps":false,"excludeTrustedIps":false,"includedNetworkIds":[],"excludedNetworkIds":[],"includeCorpnet":false,"excludeCorpnet":false,"applyCondition":false},"clientApps":{"specificClientApps":true,"webBrowsers":false,"mobileDesktop":true,"exchangeActiveSync":false,"onlyAllowSupportedPlatforms":false,"applyCondition":true},"clientAppsV2":{"webBrowsers":false,"mobileDesktop":true,"modernAuth":true,"exchangeActiveSync":false,"onlyAllowSupportedPlatforms":false,"otherClients":false,"applyCondition":true},"time":{"all":0,"included":{"type":0,"timezoneId":null,"dateRange":{"startDateTime":"10/7/2020 12:00:00 AM","endDateTime":"10/8/2020 12:00:00 AM"},"daysOfWeek":{"day":[0,1,2,3,4,5,6],"startTime":"10/7/2020 12:00:00 AM","endTime":"10/8/2020 12:00:00 AM","allDay":false},"isExcludeSet":false},"excluded":{"type":0,"timezoneId":null,"dateRange":{"startDateTime":"10/7/2020 12:00:00 AM","endDateTime":"10/8/2020 12:00:00 AM"},"daysOfWeek":{"day":[0,1,2,3,4,5,6],"startTime":"10/7/2020 12:00:00 AM","endTime":"10/8/2020 12:00:00 AM","allDay":false},"isExcludeSet":false},"applyCondition":false},"deviceState":{"includeDeviceStateType":0,"excludeDomainJoionedDevice":false,"excludeCompliantDevice":false,"applyCondition":false}},"isAllProtocolsEnabled":true,"isUsersGroupsV2Enabled":true,"isCloudAppsV2Enabled":false,"version":0,"policyId":"45953875-788b-4fd9-8302-dd10390fe801","policyName":"BLOCK - PowerShell_Access_NonManaged_devices","applyRule":true,"policyState":1,"usePolicyState":true,"baselineType":0}'


Invoke-RestMethod –Uri $url –Headers $header –Method Post -Body $content -ErrorAction Stop

This script targets the 3 apps I showed you and only grants access to it from a managed device. You can choose to exclude some users who really need it.

Let’s try it, open a PowerShell prompt and try to connect to AzureAd

Great!! It works. You can check it out, in the Sign In logs

Conclusion:

It’s nice to see you can completely block remote PowerShell to your tenant. I had some bad feelings about breaking something by blocking this but so far everything I tested works! Enrolling a new device into AzureAd with autopilot -online works without any problems (don’t forget to exclude your users who need this).

I will be testing some more next week, to make sure nothing breaks.

Leave a Reply

Your email address will not be published. Required fields are marked *