Microsoft Entra Conditional Access supports policies that apply directly to Kubernetes cluster access. In your policy you can apply any of the standard conditions and access controls, and scope them to apply specifically for your cluster's Azure Kubernetes Service Entra ID Server cloud app.
For example, you could require that devices accessing the API Server are being performed exclusively from devices marked as compliant, only from select or trusted locations, only from select OSes, and so on. Conditional access will often then be applied when connecting to your cluster from your jump box, ensuring that the jump box itself and the user performing the action have met core conditional criteria to perform any API Server interaction.
Work with your Conditional Access administrator to apply a policy that helps you achieve your access governance requirements. In addition to the portal, you can also perform the assignment via the AzureAD Windows PowerShell module.
Remember to test all conditional access policies using a safe and controlled rollout procedure before applying to all users. Paired with Microsoft Entra JIT access, this provides a very robust access control solution for your private cluster.
📓 For more information, see Azure Architecture Center guidance for PCI-DSS 3.2.1 Requirement 8.2 in AKS.
For many administrators, PowerShell is already an understood scripting tool. The following example shows how to use the Azure AD PowerShell module to apply a Conditional Access policy.
Note: Azure AD Powershell is planned for deprecation on March 30, 2024, including these following instructions. For more details on the deprecation plans, see the deprecation update. We encourage you to continue migrating to Microsoft Graph PowerShell, which is the recommended module for interacting with Microsoft Entra ID.
Install-Module -Name AzureAD -Force -Scope CurrentUser
# Must see AzureAD listed at a version >= 2.0.2.106
Get-InstalledModule -Name AzureAD
Connect-AzureAD -TenantId <your-tenant-guid>
$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = "<your-cluster's-server-app-guid>"
$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeUsers = "All" # Or do per-group policies based on risk profile of those groups.
# Additional $conditions as desired
$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
# Configure $controls as desired
New-AzureADMSConditionalAccessPolicy -DisplayName "AKS API Server <server name> Access Policy" -State "on" -Conditions $conditions -GrantControls $controlsFor more examples, see Configure Conditional Access policies using Azure AD PowerShell
Microsoft Entra Conditional Access policies can be managed in the following ways if Windows PowerShell is not aligned with your preferred toolset.
- Within the Microsoft Entra admin center directly
- Microsoft Graph API, including advanced flows like using Logic Apps to facilitate deployment