Some environments require trusted device to access API’s on mobile and desktop clients (which AZ CLI is categorized as) – In such situations you can try to work around restrictions, (when browser clients can access Azure management via browser session)
Tool repo here https://github.com/jsa2/EAST
Operation principle of the tool
Used for Azure Security scanning by https://github.com/jsa2/EAST#extensible-azure-security-tool
https://portal.azure.com/api/DelegationToken to replace the tokens in
msal_token_cache.json Azure CLI for Azure security scans in restricted environments.
|CA Policy||Requires trusted device||MFA|
|mobile apps and desktop clients||✅||–|
⚠️ This tool is only meant for Security research and pre agreed scanning of Azure environments, where otherwise heavy restrictions prohibit Azure CLI use in mobile apps and desktop clients.
- This tool does not work, if there is no browser use available without trusted device.
⚠️ This is not a hack, it bypassess Conditional Access Device requirements only when API’s has intentional, or non-intentional gaps which allow accessing Azure management Portal via MFA.
User not being able to Azure-CLI sign-in due to compliant device needed
Policy that requires Compliant Device for mobile apps and desktop clients
Sign-in event example for trusted device
- Azure Cloud Shell Bash (or WSL/Linux bash)
- Azure CLI installed
- MSAL cache needs to be located at
az account clearto ensure no previous sessions exist
- Do not run
Az Loginunless you need to confirm, that Conditional Access is blocking your particular use case
touch sh/portalAuth.json touch sh/delegationgGuids.json
- Filter for ”DelegationToken” in developer mode in URL’s
- Copy object for ”Request Payload”
- Paste object into this workspace as ”sh/portalAuth.json”
- Paste session guids into this workspace as ”sh/delegationgGuids.json”
- In Azure CLI run
az resource listto verify that the access works
0 comments on “Highly experimental – Bypassing trusted Device requirements for Azure CLI in restricted environments where API’s are only available for browser sessions”