Discover and protect Service Accounts with Microsoft Defender for Identity

When people think about “identities” many default to the human variety – a user with a username and password. But by most estimates, human identities are outnumbered more than 10:1 by their non-human counterparts.

Non-human identities, which can encompass service accounts, cloud workload identities and even security “secrets”,  are essential elements of the machine-to-machine communication that drives our digital world. Their critical nature also makes them prime targets for cyber-attacks.

Today I am excited to announce the public preview of a new Service Account discovery module within Microsoft Defender for Identity. These capabilities  extend the identity threat detection and response capabilities we provide our customers by helping quickly identify and protect service accounts within their identity fabric.

What are Service Accounts?

Service accounts are specialized identities within Active Directory that are used to run applications, services, and automated tasks. They can be broadly classified into several types, including:

• gMSA (Group Managed Service Accounts): gMSAs provide a single identity solution for multiple services that require mutual authentication across multiple servers, as they allow Windows to handle password management, reducing administrative overhead.
• sMSA (Managed Service Accounts): Like gMSA but are designed for individual services on a single server rather than groups.
• User Account: These standard user accounts are typically used for interactive logins but can also be configured to run services.

These accounts often require elevated privileges to perform their designated job but because they cannot authenticate in the same way as human accounts, they typically do not benefit from the increased security of modern auth methods like MFA. Given their potential elevated privilege and the inherent limitations of the access policies that govern them, careful management and monitoring are crucial to ensure they do not become a security vulnerability.

NEW: Service account discovery module

Now available as part of Defender for Identity, the service account discovery module helps organizations proactively monitor and secure service accounts within their identity fabric. The auto discovery feature quickly identifies gMSA and sMSA accounts as well as user accounts within Active Directory that meet specific criteria and classifies them as service accounts. These accounts are then surfaced, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps the SOC better understand what the accounts purpose so they can more easily spot anomalous activity and understand its implications.

In addition to the inventory views, each of the accounts also has their own details page which is enriched with other data from across the Defender experience. Things like account creation date, last login, recent activities, privileges and criticality level provide valuable insights into the service accounts themselves. SOC professionals can also take direct action on these identities, like disabling a user, directly within this view.

Within this page is a new Connections tab. Here security teams can explore the unique connections made by these accounts and see insights into which machines were involved, their potential risk level and identify abnormal interactions.

Customers can also take advantage of Defender for Identity recent integrations with leading Privilege Access Management (PAM) vendors. Any service accounts managed by those PAM solutions will automatically have the “privileged” tag applied to them and the SOC will be able to enforce password rotation right from within the experience.

As with all other Defender for Identity data, the service account tags are now exposed within the Identity Info table within Advanced Hunting. With this customer can now build custom detections and automations around their service accounts.

By leveraging these features, organizations can reduce the risk of credential theft and unauthorized access.

Get started today!

These capabilities are now in public preview and are automatically enabled for Defender for Identity customers. To find the inventory simply navigate to the “Identities” section of the Defender experience and click on the “Service account” tab.