Blocking `ux.console.azure.com` seems to work fine for Cloud Shell in a browser, but Cloud Shell via Windows Terminal (v1.11.2921.0) still works.

Blocking CloudShell using network controls isn’t really a good solution, although understandably people are doing this because it seems like the only option. There should be an easier way to enable this for privileged users, and disable for everyone else.

Controlling access to storage isn’t a good option either. We need developers to be able to work with storage for their applications.

Deploying it into a virtual network also isn’t ideal. That will need to either be centrally managed, or loads of controls put in because it involves enabling ACI. Containers may or may not be an ‘approved’ technology with some customers.

It’s a security / DLP risk. Ideally it should be controlled via RBAC or at the tenant level (e.g. enable/disable Cloud Shell in Azure AD). Can we please have some proper controls for this?

I agree with @timwebster9, there should be an admin setting to allow cloudshell governance: allow/deny based on RBAC or resource provider, and ability to provision cloudshell in a compliant way (i.e. integrated in VNet). Azure policy should also be able to monitor that or at least Security team should be able to get a report or build one using APIs.