Forum Discussion
Skipster311-1
Dec 06, 2021Iron Contributor
Azure PIM role settings
Hello if a service account is already permanently active in a role , if this box is not checked will it move the service account to eligible?
- Dec 08, 2021
Skipster311-1 Chandrasekhar_Arya
See the below article, and as mentioned earlier, try to involve the application owner or supplier when you want to start implementing this.
https://identity-man.eu/2021/03/19/service-principals-all-you-need-to-know/
BilalelHadd
Dec 07, 2021Iron Contributor
Hi Skipster311-1,
The below answer won't directly answer your question, but It might help you boost your security.
Is there a possibility of requesting the application owner migrate the Service Account into a Service Principal? Most of the time, this is possible. However, I would not recommend using Service Accounts (especially) in the Cloud because of security purposes. Which automatically means I would never assign a permanent Azure AD role to the Service Account. There is an exception; If you could block the sign-in for this particular Service Account from any location except the trusted ones with Conditional Access, then it might be some sort of "safe," but still - Service Principals over (synced) Service Accounts.
Reasons for using a Service Principal:
- Doesn't exist of a username and password
- Cannot be logged in interactively from, for example, a portal page
- Less likely to be impacted when it comes to brute force attacks, isn't
I hope it will help you.
The below answer won't directly answer your question, but It might help you boost your security.
Is there a possibility of requesting the application owner migrate the Service Account into a Service Principal? Most of the time, this is possible. However, I would not recommend using Service Accounts (especially) in the Cloud because of security purposes. Which automatically means I would never assign a permanent Azure AD role to the Service Account. There is an exception; If you could block the sign-in for this particular Service Account from any location except the trusted ones with Conditional Access, then it might be some sort of "safe," but still - Service Principals over (synced) Service Accounts.
Reasons for using a Service Principal:
- Doesn't exist of a username and password
- Cannot be logged in interactively from, for example, a portal page
- Less likely to be impacted when it comes to brute force attacks, isn't
I hope it will help you.
Skipster311-1
Dec 07, 2021Iron Contributor
Good advice. Thank you. Can you point me to an article on how to create and use service principals ?