Protecting Workload Identities Using Conditional Access Policy in Entra

Hello Everyone, organizations around the world are implementing every possible measure to secure identities, ensuring that no user account bypasses additional checks like MFA or risk associated during sign-in. Microsoft Entra ID provides robust solutions to protect user identities. However, in my discussions with various organizations, I often find that many are unaware of the significant risks posed by unprotected workload identities.

Workload identities are identities used by applications or services to access the resources they need in Azure. These include service principals, managed identities, and application registrations.

One key distinction is that workload identities cannot have MFA enabled because they operate like a service account and enforcing MFA would severely disrupt application functionality. Additionally, application service principals sometimes use client secrets for authentication with Entra, posing a risk of credential leakage if placed at unprotected places. Furthermore, workload identities may be assigned high-privilege roles, increasing the risk to the entire identity environment if compromised.

So, how can we protect workload identities effectively? Microsoft introduces Conditional Access Policies specifically designed for workload identities, focusing on service principals or applications as of now. To create a Conditional Access policy targeting workload identities, navigate to the Conditional Access policy section. However, you will notice that workload identities are not available as an assignment option by default. Activating this feature requires requesting a Microsoft Entra Workload Identities Premium license.

By leveraging Conditional Access policies for workload identities, organizations can enforce security controls such as location-based restrictions, risk-based access decisions, and IP filtering for service principals. Implementing these policies helps mitigate the risks associated with compromised service accounts and strengthens the overall security posture of the identity infrastructure.

Entra Workload Identities Premium License is available for trial and can be evaluated for 90 days with 200 licenses.

Now, let’s take a deeper dive into how workload identities are protected. Once the Workload Identities Premium license is activated in an Entra tenant, it unlocks Conditional Access policy capabilities for workload identities. Key features offered include:

• Location-Based Protection
• Risk-Based Protection

With these new Conditional Access policies, conditions such as location and service principal risk can be used to determine whether to grant or block access. For example, if service principal attempts to authenticate from an unknown location or if a service principal is flagged as risky, Conditional Access will enforce the actions defined in the policy.

Entra Identity Protection also reports risky workload identities. It provides advanced threat detection and monitoring for workload identities, leveraging machine learning to detect unusual activities and potential security risks. If a service principal is compromised, it will be flagged as a risky workload Identities under Report section.

I hope this provides clarity on why it is important to be concerned about how an applications or service principals can pose a significant risk to the environment if not properly protected.