Require Privileged Workstation for Admin Access with Conditional Access

The concept of privileged admin workstations has been around for many years, but it has mainly been possible to accomplish this concept on-prem. With the recent addition of Conditional Access device filters, we now have a way to target (or not target) specific machines with a Conditional Access policy. In this blog post I showcase an example of a Conditional Access policy that only allows admin access to Azure management tools from certain Azure AD managed machines, specified by device ID GUID’s.

Note: In this example, I target Global Admins, and Security Admins, but you could target more roles, or use Azure AD groups for targeting instead.

Conditional Access Policy: BLOCK – Require Admin Workstations

Create a new Conditional Access policy and name it something like BLOCK – Require Admin Workstations. This policy will block users with certain privileged admin roles from signing in to the Azure Portal, and Azure PowerShell from all devices, except from a couple of specified registered Windows devices.

Remember to always exclude your Azure AD group with your break glass accounts.

Make sure the policy will trigger on access to the Microsoft Azure Management app.

And this is where the magic happens. With the device filters condition, exclude all your admin workstations by checking for the Device ID (you find the Device ID GUID for each device in Azure AD). This means that the admin must sign in from a managed device with one of the specified device ID’s to access the Azure management tools.

Finally, set the policy to Block access. Make sure you have excluded your break glass accounts again before enabling this policy.

Summary

By using the device filters rule, we can require the use of certain devices for accessing certain apps in Azure AD. I’ve tried this concept in a couple of tenants and it seams to be working really well. This is a simple example but as you can imagine, this opens up a lot of new possibilities for securing the cloud. I hope this inspires you to create your own policies!

Please follow me here, on LinkedIn, and on Twitter!

@DanielChronlund

2 thoughts on “Require Privileged Workstation for Admin Access with Conditional Access

  1. Nice Addition that eventually you can enforce by adding trusted location in exclusion and block any other location

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s