Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Reference feedback]: az login in firewalled environment, FQDNs required #30723

Open
jonnyry opened this issue Jan 27, 2025 · 1 comment
Open

[Reference feedback]: az login in firewalled environment, FQDNs required #30723

jonnyry opened this issue Jan 27, 2025 · 1 comment
Assignees
@jiasli
Labels
Account az login/account Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog

Comments

@jonnyry
Copy link

jonnyry commented Jan 27, 2025
edited
Loading

Type of issue

Other (describe below)

Reference command name

az login

Feedback

Use case

Creation of an Azure environment that handles sensitive data and minimises routes for data exfiltration.

Azure Firewall is deployed and blocks most outbound traffic.

The environment provides Azure SQL and Storage accounts with Entra authentication only - therefore the ability for users to authenticate to Entra is required, which I'm testing using az login.

Getting az login working

In order to get az login working so that users can authenticate to Entra, I've add the following service tag to the firewall allow list:

  • AzureActiveDirectory service tag

However az login works part of the way and fails as it tries to retrieve tenant and subscription information:

Image

I've found that adding the FQDN management.azure.com to the firewall unblocks this last step.

I've tried the same within Azure Data Studio using the 'Microsoft Entra ID - Universal with MFA Support' authentication method and that also fails without management.azure.com on the allow list.

However this is the whole management plane API of Azure (not just to authenticate), and I'd rather not allow access to this if it's not needed.

Question

Is there a way to authenticate to Entra WITHOUT having to add management.azure.com to the firewall allow list?

Thanks

Page URL

No response

Content source URL

No response

Author

jonnyry

Document Id

No response
@jonnyry jonnyry added the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Jan 27, 2025
@yonzhan
Copy link
Collaborator

yonzhan commented Jan 27, 2025

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot Account az login/account labels Jan 27, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 27, 2025
@yonzhan yonzhan added this to the Backlog milestone Jan 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Account az login/account Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@jiasli @jonnyry @yonzhan