Forum Discussion
Solved
Azure PIM role settings
Hello if a service account is already permanently active in a role , if this box is not checked will it move the service account to eligible?
Skipster311-1 Chandrasekhar_Arya
See the below article, and as mentioned earlier, try to involve the application owner or supplier when you want to start implementing this.
https://identity-man.eu/2021/03/19/service-principals-all-you-need-to-know/
Hi Skipster311-1,
The below answer won't directly answer your question, but It might help you boost your security.
Is there a possibility of requesting the application owner migrate the Service Account into a Service Principal? Most of the time, this is possible. However, I would not recommend using Service Accounts (especially) in the Cloud because of security purposes. Which automatically means I would never assign a permanent Azure AD role to the Service Account. There is an exception; If you could block the sign-in for this particular Service Account from any location except the trusted ones with Conditional Access, then it might be some sort of "safe," but still - Service Principals over (synced) Service Accounts.
Reasons for using a Service Principal:
- Doesn't exist of a username and password
- Cannot be logged in interactively from, for example, a portal page
- Less likely to be impacted when it comes to brute force attacks, isn't
I hope it will help you.
The below answer won't directly answer your question, but It might help you boost your security.
Is there a possibility of requesting the application owner migrate the Service Account into a Service Principal? Most of the time, this is possible. However, I would not recommend using Service Accounts (especially) in the Cloud because of security purposes. Which automatically means I would never assign a permanent Azure AD role to the Service Account. There is an exception; If you could block the sign-in for this particular Service Account from any location except the trusted ones with Conditional Access, then it might be some sort of "safe," but still - Service Principals over (synced) Service Accounts.
Reasons for using a Service Principal:
- Doesn't exist of a username and password
- Cannot be logged in interactively from, for example, a portal page
- Less likely to be impacted when it comes to brute force attacks, isn't
I hope it will help you.
- Can i also place the shared secret or certificate for the service principal in Azure key vault and then call the credentials that are in key vault instead of specifying the credentials for the service principal in code ?
- Thanks @Bilalehadd its a great let me take this advise any URL will be helpful
- Good advice. Thank you. Can you point me to an article on how to create and use service principals ?
