I'm using a PowerShell script that employs app-only authentication to log into Graph with a certificate method, which is working smoothly for generating reports. However, I'm aware that anyone with access to the certificate and tenant/client ID could run the script, so I'm looking to tighten security further by restricting access to only 1-2 specific user accounts. I've set up user sign-in and assignments for these accounts in the Enterprise Apps section, hoping for a popup authentication prompt when executing the script. But surprisingly, the script runs without any user authentication. I'm unsure if I've configured something wrong in Azure, or if what I'm trying to achieve isn't possible. I know about delegated authentication but can't use that due to permission limitations. Any suggestions on how to lock this down further?
1 Answer
Are you planning to run your script on demand via those users or automate it? If you want automation, one approach that has worked well for us is storing the app registration certificate in the user certificate store of a service account and scheduling the script as a task to run under that account on a secure server. This keeps your credentials out of sight and adds a layer of security.
For now, I'll be running it on demand as the users, but eventually, we want to automate it as a runbook in Azure.