Understanding Workload Identities
What Are Workload Identities?
A workload identity is an identity assigned to a software workload to facilitate authentication and access to services. Unlike traditional user identities, workload identities operate without direct human intervention and are essential for seamless integration between applications and cloud resources.In Microsoft Entra, workload identities are categorized into three primary types:
1. Applications: Abstract representations (application objects) defining how an application interacts with resources and identity providers.
2. Service Principals: Tenant-specific instances of an application object, determining permissions and access for an app within a particular environment.
3. Managed Identities: Special service principals that eliminate the need for developers to manage credentials manually, improving security and automation.
You can refer to my previous blog post for more detailed insights on Microsoft Entra ID Applications and Service Principals:
🔗 Microsoft Entra ID Application Management and Restoration
This article covers essential concepts related to Entra ID Applications, their roles, how they interact with Service Principals, and best practices for management and recovery.
Microsoft Entra Workload ID Editions
Microsoft Entra Workload ID is available in two editions: Free and Microsoft Entra Workload ID Premium. The free edition of workload identities is included with a subscription of a commercial online service such as Azure and Power Platform.
Azure and Microsoft 365 customers can purchase Workload ID Premium online or through Microsoft Partner. Workload ID Premium is a standalone product and isn't included in other premium product plans. All Customers require a license to use Workload ID Premium features.
Workload ID Premium is a standalone SKU, costing $3 per workload identity per month.
| Capabilities | Description | Free | Premium |
|---|---|---|---|
| Authentication and Authorization | |||
| Create, read, update, and delete workload identities | Create and update identities to secure service-to-service access | Yes | Yes |
| Access resources by authenticating workload identities and tokens | Use Microsoft Entra ID to protect resource access | Yes | Yes |
| Workload identities sign-in activity and audit trail | Monitor and track workload identity behavior | Yes | Yes |
| Managed identities | Use Microsoft Entra identities in Azure without handling credentials | Yes | Yes |
| Workload identity federation | To access Microsoft Entra protected resources, use workloads tested by external identity providers (IdPs) | Yes | Yes |
| Microsoft Entra Conditional Access | |||
| Conditional Access policies for workload identities | Define the condition for a workload to access a resource, such as an IP range | Yes | |
| Lifecycle Management | |||
| Access reviews for service provider-assigned privileged roles | Closely monitor workload identities with impactful permissions | Yes | |
| Application authentication methods API | IT admins can enforce best practices for how apps use application authentication methods | Yes | |
| App Health Recommendations | Identify unused or inactive workload identities and their risk levels. Get remediation guidelines. | Yes | |
| Microsoft Entra ID Protection | |||
| ID Protection for workload identities | Detect and remediate compromised workload identities | Yes | |
Important Notes:
Key Use Cases for Workload Identities
Microsoft Entra Workload Identities empower organizations to streamline access control for various applications and services. Common scenarios include:
Securing API Access: Web applications using Microsoft Graph API can authenticate via workload identities with admin or user consent.
Infrastructure Automation: Developers can provision Azure resources (e.g., Azure Key Vault, Azure Storage) without embedding credentials.
CI/CD Pipelines: Service principals facilitate secure deployments from GitHub to Azure App Services.
The Rise of Machine Identities
Image Source: Microsoft
As organizations embrace automation and cloud computing, non-human identities are becoming increasingly prevalent. Workload identities, along with device identities, fall under the umbrella of machine identities. Unlike human users who have single identities for multiple resources, machine identities may require multiple credentials, making lifecycle management and security more complex.Challenges of Workload Identity Management
Lack of MFA Support: Workload identities cannot perform multifactor authentication (MFA).
Credential Storage Risks: Applications require a secure mechanism to store secrets and credentials.
Lifecycle Complexity: Tracking workload identity creation and revocation remains a challenge.
Refer to my previous blog on managing application authentication methods to handle the lifecycle of application credentials:
🔗 Managing Application Authentication Methods in Microsoft Entra ID
Increased Attack Surface: Recent cyberattacks highlight that adversaries increasingly target non-human identities over traditional user accounts.
To address these challenges, Microsoft Entra Workload ID introduces advanced protection mechanisms for securing workload identities.
Enhancing Security with Entra Workload Identity Protection
Microsoft Entra ID provides risk-based protection to detect, investigate, and remediate compromised workload identities. Organizations can leverage:
1. Risk-Based Conditional Access Policies
Apply Conditional Access policies to service principals, allowing organizations to:
- Enforce access restrictions based on location, risk, and behavioral anomalies.
- Block suspicious workload identity sign-ins detected via Entra ID Protection.
Continuously monitor workload identity activities using Continuous Access Evaluation (CAE).
Note: ID Protection detects risk for single-tenant, third-party SaaS, and multi-tenant apps. Managed identities are currently not in scope.
2. Intelligent Risk Detection for Workload Identities
Microsoft Entra ID Protection provides insights into suspicious activities, including:
| Detection Name | Type | Description |
|---|---|---|
| Threat Intelligence | Offline | Identifies activity patterns based on global threat intelligence. |
| Suspicious Sign-ins | Offline | Detects unusual sign-in behaviors based on baseline analysis.(The detection learns the baselines sign-in behavior for workload identities in your tenant. This detection takes between 2 and 60 days, and fires if one or more of the following unfamiliar properties appear during a later sign-in: IP address / ASN, target resource, user agent, hosting/non-hosting IP change, IP country, credential type.) |
| Leaked Credentials | Offline | Flags identities with leaked credentials from public repositories and breach databases. |
| Malicious Application | Offline | Identifies applications violating Microsoft’s service terms. |
| Anomalous Service Principal Activity | Offline | Flags suspicious admin activities linked to service principals. |
| Suspicious API Traffic | Offline | Detects unauthorized Graph API traffic indicating potential reconnaissance. |
3. Lifecycle Management for Workload Identities
Organizations can streamline the management of workload identities using:
- Managed Identities: Automate secure authentication for Azure resources.
- Workload Identity Federation: Enable seamless access to Entra-protected resources across Kubernetes, GitHub Actions, and third-party compute environments.
- Access Reviews for Service Principals: Conduct periodic audits to review privileged service principal assignments in Microsoft Entra ID.
Refer to my previous blog on managing Access Reviews:
Implementing Conditional Access for Workload Identities
Scenario 1: Configure a Location-Based Conditional Access Policy to Allow Workload Identity Access.
Apply Conditional Access when you know where your Workload Identity is accessed, such as your corporate office, a SaaS provider's IP authenticating to Entra ID, or a Cloud VM
My goal is to restrict Service Principals from signing in except from Trusted Named Locations. To achieve this, we first need to create a Named Location. Navigate to the Conditional Access menu, select Named Locations, and then choose + IP Ranges Location from the top menu.
Add the Trusted IP—in this case, I am adding my Azure VM IP address, which will be used to test access.
Note: Conditional Access for workload identities are policies that are only used by Service Principals and can therefore not affect users or groups
In Target Resources, apply to All cloud apps.
Note: Ensure you use the correct Object ID from Microsoft Entra Enterprise Applications to apply the policy to service principals.
Note: Individual cloud apps cannot be selected due to 'Workload identities' selection in policy assignment
Under Network, select Any Network or Location, and under Exclude, choose the Trusted Location added earlier.
Save the policy in Report-only mode for testing or enforce immediately.
Workload identity Sign-in Experience
When attempting to connect to Microsoft Graph using a Service Principal registered in the Entra ID tenant with certificate-based authentication from an unauthorized public IP, access is blocked. The same restriction applies when using client secret authentication.
Scenario 2: Configure a Risk-Based Conditional Access Policy to Block Workload Identity Access.
In this risk-based Conditional Access policy, the Grant option can only be set to Block Access, and Session control is not available.
Scenario 3: Implement Continuous Access Evaluation (CAE) with Conditional Access Policy to Enforce Token Revocation for Workload Identities.
CAE for workload identities strengthens security by enabling real-time enforcement of Conditional Access location and risk policies and instant token revocation.
Supported Revocation Events
- Service principal disabled
- Service principal deleted
- High-risk service principal detected by Microsoft Entra ID Protection
Sign-in Logs
Sign-in logs help assess how policies are enforced for service principals and evaluate their impact, especially when using report-only mode.
Steps to Review Sign-In Logs
Navigate to: Identity > Monitoring & Health > Sign-in Logs > Service Principal Sign-insSelect a log entry and open the Conditional Access tab to view policy evaluation details.
Conclusion
Securing workload identities is essential for maintaining a controlled and risk-aware environment. By leveraging Conditional Access, risk-based policies, CAE, and Entra ID Protection, organizations can enhance security while ensuring seamless access for applications.Implementing trusted locations, risk-aware authentication, and real-time enforcement helps mitigate threats and maintain a resilient security posture. Continuous monitoring and policy refinement are key to protecting workload identities and minimizing risks.
Stay secure, stay protected with Microsoft Entra Workload Identities!
0 Comments