Block external access for Service Accounts using Conditional Access in Azure AD

Posted in : Intune, Office 365 By Joel Jerkin Translate with Google ⟶

5 years ago

Conditional Access in Azure Active Directory is normally used for users and administrators to secure and control company data in Office 365 and Azure, but what about Service Accounts? Aren’t they a potential security risk?
Using Service Accounts for scripts and other tasks related to Office 365, Azure and Azure AD is a normal practice along companies, sometimes the accounts has full administrative permissions (Global Admin for Office 365, Owner of a subscription/resource group in Azure) and sometimes the accounts has delegated privileges but they all have more permissions than a regular user.
In this post we will cover how you can use Conditional Access to block sign-ins from service accounts outside the company main datacenter to make sure they are only used on servers located on networks that the company has control over.

Open portal.azure.com and go to Azure Active Directory and Conditional Access under Security
Go to Named locations and Add the external IP address of the data center(s) that should be allowed for the service accounts to sign-in from.
Create a new policy and name it “Block external access for service accounts”
Select the Service Accounts or an Azure AD Group, in our case we use a groups that will contain all the service accounts
In Cloud apps, select All cloud apps
For Conditions, select Locations and Configure. Select Any location in the Include tab
Also in Conditions and Locations, select the Exclude tab and select the location of the data center added in step 2.
For Access, go to Grant and select Block access
Select On for Enable policy, and verify all settings before creating it.
The policy should now look like the following:

Conditional Access policy – Block external access for service accounts