In a on-premise Active Directory a normal user can read the directory by default using a LDAP browser. We put firewall and other security measure in place so that it is impossible to reach from the outside.
When we sync all our users to Azure Active Directory – I often see that no security measure are in place. In my work I see a lot of installations where ADFS is the only security measure – ADFS is used to login in to Azure AD without having the users password in the cloud – but the ADFS is setup to allow all authenticated users.
Last week I was at a customer where I showed them that a standard user can get access to browse there AzureAD users, groups and enterprise apps in the AzureAD. This was not acceptable by there security department, and I totally agree. So we used Azure AD conditional access to control the access both for on-premise users and cloud only users.
What is the problem:
When a user log in to the old Azure AD portal https://manage.windowsazure.com the user gets this message:
No access – no problem!
When the user log in to the new Azure AD portal https://aad.portal.azure.com the use gets this:
Yes there is settings and data a standard users cannot see, like “Users Sign-ins” and the user cannot change anything in AzureAD.
It is the same if the standard user logs in to https://portal.azure.com but then the user can see under “My permissions” that there is no access to any subscriptions and there is no access to other resources in Azure.
Standard user can create a support ticket on:
- Subscription management
What is the solutions:
The quick fix for this is Conditional Access on the cloud App Microsoft Azure Management.
How to setup Conditional Access for Microsoft Azure Management:
Login with a admin to https://aad.portal.azure.com
Go to Security – Conditional access
Click New policy
Give the CA policy a name
Click on Users and groups
Select All users
Remember to select a Exclude user or you have removed your access to change this policy
Click Select excluded users
Select a group with least one global admin !!!
Select Cloud apps
Click Select apps
Search for Microsoft Azure Management and select the app
Select Client apps
Click Yes – the both Browser and Mobile apps and desktop clients will be blocked
Info: Use Locations if you only whats this to apply outside your trusted network
Click Block access
Click On to enable the Conditional Access policy
Now you have blocked the access for standard users from accessing your AzureAD.
When the policies is in effect the user will get this message when accessing the Azure portal from a browser or from the mobile Azure app
There is also another way to do this:
Conditional Access requires Azure AD Premium license – if you don’t have that there is also another way.
This will only apply to standard users – and not a user with privileged access (User administrator, password administrator, etc.) and you cannot do inside/outside rule like in the Conditional Access.
Inside the Azure AD you can set:
Go to User settings – Administration portal
Restrict Access to Azure AD administration portal to Yes.
This will not block your users from accessing https://portal.azure.com
This will only create a Access denied when accessing the AzureAD.