Azure Cloud Shell: Add support for Device Conditional Access #8158
Comments
ghost
added
Needs-Triage
|
Not an expert, but were you performing the Device Code Flow (entering device code into prompt)? Asking this because there is a known limitation in the Conditional Access, where it is not aware of the device state, as described here. |
|
Yes, I believe this was what I was trying to do. I just opened the Azure Cloud Shell tab and wanted to authenticate using the flow suggested in the terminal. What your suggesting is, that we should adjust our conditional access policies according to the above description? So I should be prompted for a multi-factor control when trying to connect through the Azure Cloud Shell? I'll try and see if I'm able to test this and report back the results. |
|
If it is OK with the security policies of your company, instead of requiring device state related conditions for the relevant apps, you can require user related conditions like MFA. An example can be found https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/untrusted-networks. |
|
Thanks. This is, as you astutely note, due to us using device login. We will almost certainly have to rearchitect how login works, but we're not equipped to do so. I'm going to put this up on the backlog. Let me know if your conditional access policy change helps 😄 |
DHowett
added
Area-AzureShell
|
@DHowett - it's more a feature than a bug. IMHO the device login flow is a good choice for terminal, as it is simple and interactive, though it has some limitations with specific Conditional Access requirements. I guess we simply need to add some addition way to authenticate for users that device login doesn't fit their needs (service principal?) |
|
I was able to test this the other day and managed to get a successful verification using Azure Terminal with our tenant. My IT-department couldn't tell me if they had changed anything. It appeared to just work out of the blue?! (which of course isn't true - something must have changed) But I don't know whether a conditional Access rule was changed by IT or if something else changed. |
|
At least it works - which is great already! |
DHowett
changed the title
DHowett
added
Issue-Task
Environment
Steps to reproduce
Open Azure Cloud shell and attempt to connect with our Azure tenant
Pre-requisite
Our company uses Azure Conditional Access policies and require computers to be domain-joined devices in order to connect with our tenant without multi-factor.
Expected behavior
I would expect the cloud shell to connect once I completed the steps listed in the prompt (i.e. enter pin from device login web site)
https://devblogs.microsoft.com/commandline/the-azure-cloud-shell-connector-in-windows-terminal/
Actual behavior
I receive the following error:
AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.
Trace ID: 24bab79e-1e96-4524-abd1-833c53a30d00
Correlation ID: ddbce269-f8ca-41e5-9d92-d9bb4d63320f
Timestamp: 2020-10-30 07:27:02Z
Additional notes
I've been made aware, that we've seen a similar error when using the Azure Storage Explorer.
https://feedback.azure.com/forums/217298-storage/suggestions/36283420-conditional-access-support-for-storage-explorer
The text was updated successfully, but these errors were encountered: