When we talk to customers, we often get to dig deep into the details of marquee Azure Active Directory (Azure AD) features like conditional access, identity protection, and identity governance to secure user population. We know that for many of you, having these capabilities for non-human populations is a crucial part of your strategy to drive to Zero Trust and protect your businesses.
We’re incredibly excited to announce Microsoft Entra Workload Identities. This brand-new set of capabilities takes the features that organizations rely on for their user population, and tailors the protections to workload identities.
What are workload identities?
Users are not the only identities in Microsoft Entra identity and access management solutions. Along with human identities such as employees, partners and customers, Microsoft Entra, including Azure AD, also helps organizations manage access for non-human (or machine) identities. These include identities for devices along with identities for apps and services, which our industry is beginning to call “workload identities.” In Microsoft Entra, workload identities include applications and service principals.
Why does managing workload identities matter?
Just like user identities, these workload identities can be both powerful and vulnerable. They can have access to a company’s most sensitive resources, and can be an attack surface interesting to bad actors – a channel to cause damage or increase susceptibility. Tactics such as consent-phishing can introduce bad apps into organizations, and breached credentials can allow attackers to abuse existing applications and services. We’ve seen these attacks in the wild, including in one well-known recent example.
As companies increase their cloud presence, this workload identity population continues to grow. And due to unique characteristics of workload identities, it’s much more difficult to manage than companies’ user population. Organizations have a decent idea of how many employees they have, what growth might be like, and a general idea of what good patterns of access look like. HR system is a source of authority for employees in most organizations. Human users can ideally be trusted to keep secrets. However, workload identity population has few of these advantages. It can be unwieldy, inflate wildly, and has little in the way of good lifecycle management. The patterns of its behavior are less predictable, and the accountability hazier.
In response to this, some companies leverage user identity functionality. Organizations model workloads as user identities (often called “service accounts”) and use features like conditional access to keep them secure. This is an imperfect solution because workloads behave very differently from users, and anomalous behavior has different patterns. Instead, organizations need functionality built expressly for workload identities.
Introducing Microsoft Entra Workload Identities
We introduce a comprehensive set of capabilities for workload identities. These capabilities include features many of you have already been trying in public preview. Three that are ready now for production use are:
We’re also hard at work on forthcoming capabilities that will enable organizations to better understand their workload identity population. This includes identifying and potentially removing identities that have not been used recently – this is crucial functionality to help organizations right size their estate and attack surface.
Just like with user identities, this new set of capabilities will be licensed at a per-identity level, which will allow organizations to tailor their use to the workload identities they need to protect. This new offering will be available for purchase later this year.
This is just the beginning of what we’re building to help you use our workload identities to keep your organization productive and secure. We’re excited to go on this ride together and look forward to hearing from you.
Group Product Manager
Azure Active Directory
Learn more about Microsoft identity: