Best practices for use of service accounts

%3CLINGO-SUB%20id%3D%22lingo-sub-2752820%22%20slang%3D%22en-US%22%3EBest%20practices%20for%20use%20of%20service%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2752820%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20fairly%20early%20in%20our%20journey%20on%20the%20use%20of%20Power%20Platform%20and%20SharePoint%20online.%20Some%20devs%20in%20the%20org%20have%20done%20some%20pretty%20cool%20things%20with%20Power%20Platform%2C%20Graph%20etc%2C%20but%20their%20solutions%20all%20run%20under%20their%20own%20accounts.%20I'm%20getting%20more%20and%20more%20questions%20now%20on%20how%20we%20can%20make%20these%20run%20under%20a%20generic%20service%20account%20so%20that%20these%20solutions%20are%20not%20dependent%20on%20the%20dev's%20account%20remaining%20active.%20Do%20you%20guys%20use%20service%20accounts%3F%20One%20account%20for%20all%20solutions%3F%20A%20different%20account%20for%20each%20solution%3F%20How%20do%20you%20license%20these%20accounts%3F%20Do%20you%20give%20the%20credentials%20to%20devs%20or%20is%20there%20a%20way%20to%20create%20a%20token%3F%20Looking%20for%20some%20ideas%20and%20best%20practices.%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2752820%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDeveloper%20Platform%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGraphAPI%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPower%20Platform%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

We are fairly early in our journey on the use of Power Platform and SharePoint online. Some devs in the org have done some pretty cool things with Power Platform, Graph etc, but their solutions all run under their own accounts. I'm getting more and more questions now on how we can make these run under a generic service account so that these solutions are not dependent on the dev's account remaining active. Do you guys use service accounts? One account for all solutions? A different account for each solution? How do you license these accounts? Do you give the credentials to devs or is there a way to create a token? Looking for some ideas and best practices. Thanks.

1 Reply
Very short answer : never give the prod credentials to your devs :)

Short answer : if you want to secure the Graph API requests, you should follow at least :
- One service account (Managed Identity / Enterprise Application) per usage to follow the least privilege principle
- Store your secrets within an Azure Key Vault (you will find a lot of documentation on the Internet)

Other interesting links:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-governing-azur...
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-introduction-a...