Conditional Access block Microsoft Azure CLI

Using the Azure Portal:

1. Sign in to the Azure portal as at least a Conditional Access Administrator.

2. Navigate to Microsoft Entra ID > Security > Conditional Access > Policies.

3. Select New policy.

4. Give your policy a Name.

5. Under Assignments, select Users or workload identities.

   • Choose who the policy will apply to (e.g., All users, specific groups).

   • It's recommended to Exclude emergency access or break-glass accounts.

6. Under Target resources > Cloud apps > Include, select Select apps.

   • Search for and select Windows Azure Service Management API. This service principal represents the Azure Resource Manager and includes access via the Azure CLI.

7. Under Access controls > Grant, select Block access, and then click Select.

8. Confirm your settings and set Enable policy to On. (It's often recommended to start in Report-only mode to assess the impact before fully enabling).

9. Select Create.

What this policy does:

This policy targets the "Windows Azure Service Management API," which is the underlying API used by the Azure CLI to manage Azure resources. By blocking access to this API, you effectively prevent users within the scope of the policy from logging in using the Azure CLI.

Important Considerations:

• Impact: Blocking access to the "Windows Azure Service Management API" will prevent users from managing Azure resources through the Azure CLI. Ensure this aligns with your organization's needs and that affected users have alternative methods for management, if required.

• Exclusions: Carefully consider excluding administrative accounts or break-glass accounts from this policy to prevent accidental lockout scenarios.

• Report-only mode: Before fully enabling the policy, use the "Report-only" mode to monitor the potential impact on users' sign-in attempts. This allows you to identify any unintended consequences.

• Service Principals and Managed Identities: Conditional Access policies targeting users do not apply to service principals or managed identities. If you need to restrict their access, you would need to create separate Conditional Access policies for workload identities.

By implementing this Conditional Access policy, you can effectively control and block Azure CLI logins for specific users or groups within your organization.