All Content
Control Azure (and beyond) Tooling Access
Azure Weekly Update
Jul 24, 2023 12:03 PM

Control Azure (and beyond) Tooling Access

by HubSite 365 about John Savill's [MVP]

Principal Cloud Solutions Architect

External YouTube Channel
Azure DataCenter

Looking at how to secure and control access to various tools for Azure (and other Microsoft admin interfaces).

The text discusses securing and controlling access to various tools for Azure (and other Microsoft admin interfaces). A demonstration is shown on how to block access to these tools, mentioning that instead of blocking, one could require other controls like Multi-Factor Authentication (MFA).

The discussion takes on the following key points:

  • Introduction
  • Azure control plane, ARM
  • Blocking ARM
  • Blocking portals
  • Demonstration of ARM block
  • Demo portal block
  • Adding in some PIM
  • Summary

Microsoft Azure Management Conditional Access Policy

The Conditional Access policy in Microsoft Azure Management is applicable to the following services, collectively referred to as the Microsoft Azure Management application:

  • Azure Resource Manager
  • Azure portal (also includes Microsoft Entra admin center)
  • Azure Data Lake
  • Application Insights API
  • Log Analytics API

The policy is implemented for tokens issued to these applications' IDs. Consequently, services, clients, or APIs that are dependent on Azure API service may be indirectly affected. These include:

  • Classic deployment model APIs
  • Azure PowerShell
  • Azure CLI
  • Azure DevOps
  • Azure Data Factory portal
  • Azure Event Hubs
  • Azure Service Bus
  • Azure SQL Database
  • SQL Managed Instance
  • Azure Synapse
  • Visual Studio subscriptions administrator portal
  • Microsoft IoT Central

Important Note

The Microsoft Azure Management application pertains to Azure PowerShell, which uses the Azure Resource Manager API. It does not, however, apply to Azure AD PowerShell that employs the Microsoft Graph API.

For a detailed guide on creating a sample policy for Microsoft Azure Management, refer to Conditional Access: Require MFA for Azure management.

Pro Tip

For Azure Government usage, target the Azure Government Cloud Management API application.


More on Control Azure Access

Controlling access to Azure and other Microsoft admin interfaces is a crucial part of maintaining security. The use of blocking or Multi-Factor Authentication (MFA) is key to help in ensuring that only authorized users can access these administrative tools. The given demonstration provides an illustrative and practical guide on how to effectively control the access of the Azure Online Management API, referred to here as ARM. Plus, it gives insights on the need to add in some PIM for better access control.

Learn about Control Azure (and beyond) Tooling Access


Controling access to various tools for Azure (and other Microsoft admin interfaces) is an important issue. In this text, we will look at how to secure and control access to these tools. Examples of blocking access will be provided in order to show the effectiveness of the policy. We will also cover how to use PIM (Privileged Identity Management) to control access. Finally, we will provide links to Microsoft documentation and a whiteboard to help explain the concepts.

Azure control plane and ARM (Azure Resource Manager) will be discussed, as well as how to block access to ARM. Blocking portals will also be covered, with a demonstration of a blocked ARM and a blocked portal. Adding in PIM will be discussed, and a summary of the key points will be provided.

This text provides important information and links to help secure and control access to Azure (and other Microsoft admin interfaces). Blocking access will be discussed, as well as using PIM to control access. It is important to understand these concepts in order to properly secure access to tools.


More links on about Control Azure (and beyond) Tooling Access

What is Azure role-based access control (Azure RBAC)?
Aug 21, 2022 — Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources.
Azure security monitoring tools
Mar 23, 2023 — Use security monitoring tools in Azure. ... Azure role-based access control (Azure RBAC), Azure Blueprints, subscriptions, and more.
Secure access practices for administrators in Azure AD
Mar 15, 2023 — Sign in to the Azure portal with an account that is a Global Administrator of your Azure AD production organization. To select the Azure AD ...
What is Conditional Access in Azure Active Directory?
Jun 22, 2023 — Azure AD Conditional Access brings signals together, to make decisions, and enforce organizational policies. Conditional Access is ...
Azure Lighthouse
Azure Lighthouse enforces security best practices with just-in-time access, role-based access control (RBAC), and on-demand auditing capabilities.
Azure Active Directory is Becoming Microsoft Entra ID
Azure Active Directory (Azure AD) is becoming Microsoft Entra ID. Explore this cloud identity and access management solution that safeguards your data.
Azure Monitor - Modern Observability Tools
Gain end-to-end observability into your applications, infrastructure, and network both on cloud and hybrid environments with Azure Monitor.
Microsoft Azure: Cloud Computing Services
Optimize your infrastructure with popular Azure solutions and services. · Create advanced, cloud-based analytics solutions at enterprise scale. · Get tools and ...
Demystifying Azure PIM: What it is, How it Works, What…
Dec 7, 2020 — Learn what Microsoft Azure Privileged Identity Management (PIM) is, how it works, it's limitations and shortfalls, and alternative security ...


Azure Tooling Access, Securing Access to Microsoft Interfaces, Blocking ARM, Blocking Portals, PIM, Conditional Access Cloud Apps.