Microsoft Entra Workload Identities administration is “ready now for production use” with 3 capabilities as announced by Microsoft on Thursday
Workload Identities is the newest addition to Microsoft’s Azure Active Directory identity and access management services.
It’s about the non-human identity and access processes that happen when people use apps and services.
Microsoft renamed all of its Azure AD identity and access management services “Microsoft Entra” earlier this month.
The rebrand also includes the new Workload Identities feature, which is currently in preview.
Microsoft Entra Identity and access management
Users are not the only identities in Microsoft Entra identity and access management solutions. Along with human identities such as employees, partners and customers, Microsoft Entra, including Azure AD, also helps organizations manage access for non-human (or machine) identities. These include identities for devices along with identities for apps and services, which our industry is beginning to call “workload identities.” In Microsoft Entra, workload identities include applications and service principals. – llana Smith
Source : https://techcommunity.microsoft.com/t5/image/serverpage/image-id/377423i2F45BA378695BF82/image-size/large?v=v2&px=999
The Workload Identities service has 3 capabilities that Microsoft says are ready for organizations to use:
- Conditional Access for workload identities
- Identity Protection for workload identities
- Access Reviews for workload identities assigned to privileged roles,
The announcement avoided using the words “general availability,” which are typically used by Microsoft to indicate that a software release is suitable for commercial use.
Since February, Workload Identities, which is part of the Azure Active Directory Identity Protection service, has been in preview.
That’s probably still the case, even if some of its capabilities have been deemed ready for production.
Managing the workload identities generated by applications and services(Service Accounts)
The announcement argued that managing the workload identities generated by applications and services, commonly referred to as “service accounts,” is “less predictable” than managing human identities.
Furthermore, according to Alex Weinert, Microsoft’s director of identity security, organisations have “five times more software workloads than users,” as stated in Microsoft’s February announcement.
As a result, Microsoft’s nascent Workload Identities product is focusing on those less predictable identity and security issues.
Microsoft is referring to non-human identity aspects associated with the use of apps and services, which can include things like containers and virtual machines, when it says “workload identities.”
In the diagram below, Microsoft shows how workload identities fit into overall identity and access management scenarios:
What are workload identities ?
A workload identity is a unique identifier used to authenticate and access other services and resources by a software workload (such as an application, service, script, or container).
Although the terminology varies by industry, a workload identity is something you’ll need for your software entity to authenticate with a system.
A workload identity, for example, could be a user account that your client uses to access a MongoDB database.
Machine vs. human identities is a Microsoft concept, with “workload identities” representing the software aspect of machine identities. (source: “What Are Workload Identities“ Microsoft document, accessed June 9, 2022).
According to the “What are Workload Identities” document, organisations may have “an app that enables a web app to access Microsoft Graph based on admin or user consent,” which is one scenario where Microsoft’s Workload Identities protective capabilities may be used. According to the announcement, Microsoft solutions can address “tactics such as consent-phishing,” which “can introduce bad apps into organisations.”
According to Microsoft’s “Protecting Against Consent Phishing” document, a consent phishing attack tries to “trick users into granting permissions to malicious cloud apps.”
Upcoming Workloads Identities Possibilities
Microsoft’s Workloads Identities product will now “enable organisations to better understand their workload identity population,” according to the company.
It will be possible to “remove identities that have not been used recently” with this upcoming unnamed product capability, reducing an organization’s attack surface, according to the announcement.
“Like user identities, this new set of capabilities will be licenced per-identity,” according to the announcement.
“This will allow organisations to tailor their use to the workload identities they need to protect.” “Later this year, this new offering will be available for purchase.”
What excites you about Microsoft Entra Workloads Identities ? Comment Below Your Thoughts !