Securing workload identities with Identity Protection

Azure AD Identity Protection has historically protected users in detecting, investigating, and remediating identity-based risks. We're now extending these capabilities to workload identities to protect applications and service principals.

A workload identity is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they:

  • Can’t perform multi-factor authentication.
  • Often have no formal lifecycle process.
  • Need to store their credentials or secrets somewhere.

These differences make workload identities harder to manage and put them at higher risk for compromise.

Important

Detections are visible only to Workload Identities Premium customers. Customers without Workload Identities Premium licenses still receive all detections but the reporting of details is limited.

Prerequisites

To make use of workload identity risk, including the new Risky workload identities blade and the Workload identity detections tab in the Risk detections blade in the portal, you must have the following.

  • Workload Identities Premium licensing: You can view and acquire licenses on the Workload Identities blade in the Azure portal.
  • One of the following administrator roles assigned
    • Global Administrator
    • Security Administrator
    • Security Operator
    • Security Reader

Users assigned the Conditional Access administrator role can create policies that use risk as a condition.

Workload identity risk detections

We detect risk on workload identities across sign-in behavior and offline indicators of compromise.

Detection name Detection type Description
Azure AD threat intelligence Offline This risk detection indicates some activity that is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources.
Suspicious Sign-ins Offline This risk detection indicates sign-in properties or patterns that are unusual for this service principal.

The detection learns the baselines sign-in behavior for workload identities in your tenant in between 2 and 60 days, and fires if one or more of the following unfamiliar properties appear during a later sign-in: IP address / ASN, target resource, user agent, hosting/non-hosting IP change, IP country, credential type.

Because of the programmatic nature of workload identity sign-ins, we provide a timestamp for the suspicious activity instead of flagging a specific sign-in event.

Sign-ins that are initiated after an authorized configuration change may trigger this detection.
Admin confirmed account compromised Offline This detection indicates an admin has selected 'Confirm compromised' in the Risky Workload Identities UI or using riskyServicePrincipals API. To see which admin has confirmed this account compromised, check the account’s risk history (via UI or API).
Leaked Credentials Offline This risk detection indicates that the account's valid credentials have been leaked. This leak can occur when someone checks in the credentials in public code artifact on GitHub, or when the credentials are leaked through a data breach.

When the Microsoft leaked credentials service acquires credentials from GitHub, the dark web, paste sites, or other sources, they're checked against current valid credentials in Azure AD to find valid matches.
Malicious application Offline This detection indicates that Microsoft has disabled an application for violating our terms of service. We recommend conducting an investigation of the application.
Suspicious application Offline This detection indicates that Microsoft has identified an application that may be violating our terms of service, but hasn't disabled it. We recommend conducting an investigation of the application.
Anomalous service principal activity Offline This risk detection baselines normal administrative service principal behavior in Azure AD, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrative service principal making the change or the object that was changed.

Identify risky workload identities

Organizations can find workload identities that have been flagged for risk in one of two locations:

  1. Navigate to the Azure portal.
  2. Browse to Azure Active Directory > Security > Risky workload identities.
  3. Or browse to Azure Active Directory > Security > Risk detections.
    1. Select the Workload identity detections tab.'

Screenshot showing risks detected against workload identities in the report.

Graph APIs

You can also query risky workload identities using the Microsoft Graph API. There are two new collections in the Identity Protection APIs

  • riskyServicePrincipals
  • servicePrincipalRiskDetections

Export risk data

Organizations can export data by configurating diagnostic settings in Azure AD to send risk data to a Log Analytics workspace, archive it to a storage account, stream it to an event hub, or send it to a SIEM solution.

Enforce access controls with risk-based Conditional Access

Using Conditional Access for workload identities, you can block access for specific accounts you choose when Identity Protection marks them "at risk." Policy can be applied to single-tenant service principals that have been registered in your tenant. Third-party SaaS, multi-tenanted apps, and managed identities are out of scope.

Investigate risky workload identities

Identity Protection provides organizations with two reports they can use to investigate workload identity risk. These reports are the risky workload identities, and risk detections for workload identities. All reports allow for downloading of events in .CSV format for further analysis outside of the Azure portal.

Some of the key questions to answer during your investigation include:

  • Do accounts show suspicious sign-in activity?
  • Have there been unauthorized changes to the credentials?
  • Have there been suspicious configuration changes to accounts?
  • Did the account acquire unauthorized application roles?

The Azure Active Directory security operations guide for Applications provides detailed guidance on the above investigation areas.

Once you determine if the workload identity was compromised, dismiss the account’s risk, or confirm the account as compromised in the Risky workload identities report. You can also select “Disable service principal” if you want to block the account from further sign-ins.

Confirm workload identity compromise or dismiss the risk in the Azure portal.

Remediate risky workload identities

  1. Inventory credentials assigned to the risky workload identity, whether for the service principal or application objects.
  2. Add a new credential. Microsoft recommends using x509 certificates.
  3. Remove the compromised credentials. If you believe the account is at risk, we recommend removing all existing credentials.
  4. Remediate any Azure KeyVault secrets that the Service Principal has access to by rotating them.

The Azure AD Toolkit is a PowerShell module that can help you perform some of these actions.

Next steps