[Reference feedback]: `az login` in firewalled environment, FQDNs required

[jonnyry]

Type of issue

Other (describe below)

Reference command name

az login

Feedback

Use case

Creation of an Azure environment that handles sensitive data and minimises routes for data exfiltration.

Azure Firewall is deployed and blocks most outbound traffic.

The environment provides Azure SQL and Storage accounts with Entra authentication only - therefore the ability for users to authenticate to Entra is required, which I'm testing using az login.

Getting az login working

In order to get az login working so that users can authenticate to Entra, I've add the following service tag to the firewall allow list:

• AzureActiveDirectory service tag

However az login works part of the way and fails as it tries to retrieve tenant and subscription information:

I've found that adding the FQDN management.azure.com to the firewall unblocks this last step.

I've tried the same within Azure Data Studio using the 'Microsoft Entra ID - Universal with MFA Support' authentication method and that also fails without management.azure.com on the allow list.

However this is the whole management plane API of Azure (not just to authenticate), and I'd rather not allow access to this if it's not needed.

Question

Is there a way to authenticate to Entra WITHOUT having to add management.azure.com to the firewall allow list?

Thanks

Page URL

No response

Content source URL

No response

Author

jonnyry

Document Id

No response

[yonzhan]

Thank you for opening this issue, we will look into it.