Control Azure (and beyond) Tooling Access

by HubSite 365 about John Savill's [MVP]

Principal Cloud Solutions Architect

External YouTube Channel

Azure DataCenter

Looking at how to secure and control access to various tools for Azure (and other Microsoft admin interfaces).

The text discusses securing and controlling access to various tools for Azure (and other Microsoft admin interfaces). A demonstration is shown on how to block access to these tools, mentioning that instead of blocking, one could require other controls like Multi-Factor Authentication (MFA).

The discussion takes on the following key points:

Introduction
Azure control plane, ARM
Blocking ARM
Blocking portals
Demonstration of ARM block
Demo portal block
Adding in some PIM
Summary

Microsoft Azure Management Conditional Access Policy

The Conditional Access policy in Microsoft Azure Management is applicable to the following services, collectively referred to as the Microsoft Azure Management application:

Azure Resource Manager
Azure portal (also includes Microsoft Entra admin center)
Azure Data Lake
Application Insights API
Log Analytics API

The policy is implemented for tokens issued to these applications' IDs. Consequently, services, clients, or APIs that are dependent on Azure API service may be indirectly affected. These include:

Classic deployment model APIs
Azure PowerShell
Azure CLI
Azure DevOps
Azure Data Factory portal
Azure Event Hubs
Azure Service Bus
Azure SQL Database
SQL Managed Instance
Azure Synapse
Visual Studio subscriptions administrator portal
Microsoft IoT Central

Important Note

The Microsoft Azure Management application pertains to Azure PowerShell, which uses the Azure Resource Manager API. It does not, however, apply to Azure AD PowerShell that employs the Microsoft Graph API.

For a detailed guide on creating a sample policy for Microsoft Azure Management, refer to Conditional Access: Require MFA for Azure management.

Pro Tip

For Azure Government usage, target the Azure Government Cloud Management API application.

More on Control Azure Access

Controlling access to Azure and other Microsoft admin interfaces is a crucial part of maintaining security. The use of blocking or Multi-Factor Authentication (MFA) is key to help in ensuring that only authorized users can access these administrative tools. The given demonstration provides an illustrative and practical guide on how to effectively control the access of the Azure Online Management API, referred to here as ARM. Plus, it gives insights on the need to add in some PIM for better access control.

Learn about Control Azure (and beyond) Tooling Access

Controling access to various tools for Azure (and other Microsoft admin interfaces) is an important issue. In this text, we will look at how to secure and control access to these tools. Examples of blocking access will be provided in order to show the effectiveness of the policy. We will also cover how to use PIM (Privileged Identity Management) to control access. Finally, we will provide links to Microsoft documentation and a whiteboard to help explain the concepts.

Azure control plane and ARM (Azure Resource Manager) will be discussed, as well as how to block access to ARM. Blocking portals will also be covered, with a demonstration of a blocked ARM and a blocked portal. Adding in PIM will be discussed, and a summary of the key points will be provided.

This text provides important information and links to help secure and control access to Azure (and other Microsoft admin interfaces). Blocking access will be discussed, as well as using PIM to control access. It is important to understand these concepts in order to properly secure access to tools.

Keywords

Azure Tooling Access, Securing Access to Microsoft Interfaces, Blocking ARM, Blocking Portals, PIM, Conditional Access Cloud Apps.