Type of issue
Other (describe below)
Reference command name
az login
Feedback
Use case
Creation of an Azure environment that handles sensitive data and minimises routes for data exfiltration.
Azure Firewall is deployed and blocks most outbound traffic.
The environment provides Azure SQL and Storage accounts with Entra authentication only - therefore the ability for users to authenticate to Entra is required, which I'm testing using az login.
Getting az login working
In order to get az login working so that users can authenticate to Entra, I've add the following service tag to the firewall allow list:
AzureActiveDirectory service tag
However az login works part of the way and fails as it tries to retrieve tenant and subscription information:
I've found that adding the FQDN management.azure.com to the firewall unblocks this last step.
I've tried the same within Azure Data Studio using the 'Microsoft Entra ID - Universal with MFA Support' authentication method and that also fails without management.azure.com on the allow list.
However this is the whole management plane API of Azure (not just to authenticate), and I'd rather not allow access to this if it's not needed.
Question
Is there a way to authenticate to Entra WITHOUT having to add management.azure.com to the firewall allow list?
Thanks
Page URL
No response
Content source URL
No response
Author
jonnyry
Document Id
No response
Type of issue
Other (describe below)
Reference command name
az loginFeedback
Use case
Creation of an Azure environment that handles sensitive data and minimises routes for data exfiltration.
Azure Firewall is deployed and blocks most outbound traffic.
The environment provides Azure SQL and Storage accounts with Entra authentication only - therefore the ability for users to authenticate to Entra is required, which I'm testing using
az login.Getting
az loginworkingIn order to get
az loginworking so that users can authenticate to Entra, I've add the following service tag to the firewall allow list:AzureActiveDirectoryservice tagHowever
az loginworks part of the way and fails as it tries to retrieve tenant and subscription information:I've found that adding the FQDN
management.azure.comto the firewall unblocks this last step.I've tried the same within Azure Data Studio using the 'Microsoft Entra ID - Universal with MFA Support' authentication method and that also fails without
management.azure.comon the allow list.However this is the whole management plane API of Azure (not just to authenticate), and I'd rather not allow access to this if it's not needed.
Question
Is there a way to authenticate to Entra WITHOUT having to add
management.azure.comto the firewall allow list?Thanks
Page URL
No response
Content source URL
No response
Author
jonnyry
Document Id
No response