New App Health Recommendations in Microsoft Entra Workload Identities
Published Jun 29 2023 10:35 AM 6,108 Views

We recently announced our 2023 State of Cloud Permissions Risks report, which laid out some interesting and eye-opening findings on not just the expansion of cloud environments, but the increase in identity types accessing critical cloud resources. The report reveals interesting findings on why securing workload identities has become more critical than ever:


  • Workload identities now outnumber human identities 10:1—double that of 2021. This significant uptick introduces new security risks.
  • More than 80% of workload identities are inactive, double the percentage reported in 2021.
  • Workload identities are using less than 5% of their granted permissions.
  • Approximately 70% of workload identities have access to sensitive data.


The exorbitant number of inactive workload identities and credentials represents an opportunity for significant risk reduction, especially given how many have high privilege permissions and operate across clouds. Inactive identities and stale credentials make easier targets for compromise and can generally be removed without impact, while expiring credentials can create outages.


According to the whitepaper from Kuppinger Cole, Securing Non-human Identities, one significant change is the rapid growth in the number and types of non-human identities, including workload identities. It’s become increasingly difficult to ensure proper identity management to avoid exposure to business, security, and compliance risks.

To help resolve emerging issues with non-human identities, we launched Microsoft Entra Workload Identities in November 2022. It allows organizations to configure conditional access, identity protection, credential policies, and access reviews for workload identities. This helps detect and remediate risks of workloads that may be acting differently than users. 


Easily recognizing which identities have risky configurations or should be removed altogether is becoming crucial, so we‘re excited to announce a new feature—app health recommendations—within Microsoft Entra Workload Identities.


App Health Recommendations help enhance app hygiene

With more than 80% of workload identities inactive, visibility on these apps and services is crucial. The app health recommendations capability in Microsoft Entra Workload Identities provides insights and actionable guidance to help you secure your environments and avoid outages with recommended best practices. For example- addressing applications that haven’t been used for more than 30 days, removing unused application credentials, and renewing credentials that expire soon.  


Removing unused applications and unused app credentials improves the security posture of a workload identity portfolio and promotes good identity hygiene. It reduces the risk of compromise- for example, by a bad actor discovering an unused application and abusing it. Depending on the permissions granted to the unused identity, this could lead to exposure of sensitive organizational data or enable lateral movement to further the actor’s objectives. 


Recommendations and how to address them

These new capabilities are available in Azure AD recommendationsEach recommendation has a description of the issue, the benefits of taking action, and an action plan with step-by-step remediation instructions. The three app health recommendations initially offered as a part of Microsoft Entra Workload Identities are:


  1. Unused applications
  2. Unused application credentials
  3. Expiring application credentials


The Status of a recommendation can be updated manually or automatically by the system. If all resources are addressed according to the action plan, the recommendation status automatically changes to ‘Completed’ the next time the recommendations service runs. 




To find this and determine your best course of action, follow these steps:


  1. Go to the Azure AD or Microsoft Entra admin center and select Recommendations
  2. Select a recommendation from the list to view the details, status, and action plan.
  3. Follow the action plan.
  4. If applicable, right-click on the status of a resource in a recommendation, select Mark as, then select a status.

If you want to learn more about how to use Microsoft Graph with app health recommendations, please check out the documentation.


Try app health recommendations today and align with best practices

As workload identities accessing cloud infrastructure continue to increase, it’s critical that organizations closely monitor their posture to reduce their risk of attacks and outages.  




Jeff Sakowicz



Learn more about Microsoft identity:

Version history
Last update:
‎Jun 28 2023 10:20 AM
Updated by: