Share via

Creating Service Accounts in Entra ID to Bypass MFA for Non-Interactive Use

Surjeet Singh 65 Reputation points
2025-02-11T05:24:19.9666667+00:00

How can service accounts be created in Entra ID that bypass Multi-Factor Authentication (MFA) for non-interactive use, while blocking interactive logins and avoiding unnecessary license assignments?

The goal is to establish system/service/non-personal accounts in Entra ID. Currently, due to Conditional Access (CA) policies and mandatory MFA enforcement, these accounts are prompted for user credentials and MFA, especially when accessing SSO-integrated applications.

The objective is to develop accounts that are exempt from MFA and SSO while ensuring they are strictly used for non-interactive purposes. Access should be denied if there is an attempt to use these accounts for interactive logins.

Additionally, clarification is needed on whether these identities would require a license assignment, given that the accounts will not need access to Office, Teams, or other Microsoft resources—only authentication. Any insights or suggestions on setting this up would be appreciated.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator
    2025-02-13T08:37:02.9133333+00:00

    Hi Surjeet Singh,

    Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query. I see @Fady Samy has provided you the summary of how service accounts are created and excluded from conditional access policy. I would like to add few more points additionally to it.

    As per your query, I understand that you would like to create service accounts in Azure to access and manage resources.

    To create service accounts there are two types of options:

    1. Service principles
    2. Managed identities

    Service principle: You can register an application in Azure app registrations with relevant permissions and provide the consent to the application, then it becomes a service principle. You can provide the permissions based on which resource or feature it has to access. You can follow this link to configure an app and create a service principle.

    Managed identities: Configuring managed identities have more benefits for accessing Azure resources, App services and many other services. Managed identities work as an automatic authentication in non-interactive sign in where you need Microsoft Entra authentication. There are two types of Managed identities those are system assigned, and user assigned. You can go through this link to learn more about types of managed identities. Please go through this document to find the services that supports managed identities.

    If you would like to configure user assigned Managed identities, please go through this document:

    If you would like to configure system assigned Managed identities, here is the document.

    Once you configure these identities, you can assign the role for managed identities using this document. For service principles, you can follow this document.

    Important Note: If you are using a service principal to assign roles, you might get the error "Insufficient privileges to complete the operation." This error is likely because Azure is attempting to look up the assignee identity in Microsoft Entra ID and the service principal cannot read Microsoft Entra ID by default. In this case, you need to grant the service principal permissions to read data in the directory. Alternatively, if you are using Azure CLI, you can create the role assignment by using the assignee object ID to skip the Microsoft Entra lookup.

    Now you can go through this document, to understand how service accounts work in Microsoft Entra ID.

    Once the identities have been created, you can configure conditional access policy to exclude service accounts from the policy using this document.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fady Samy 155 Reputation points
    2025-02-11T06:31:03.4066667+00:00

    Hello Surjeet Singh,

    Please find the below options:

    1. Use Managed Identities (If Possible): For Azure workloads, use Managed Identities instead of service accounts—no passwords, MFA, or licensing are needed.
      • System-assigned Managed Identity (linked to an Azure resource)
        • User-assigned Managed Identity (can be used across multiple resources)
        1. Create a Service Account:
    • In Microsoft Entra ID, create a new user (e.g., svc-appname).
    • Set a strong random password and store it securely, and do not assign any license unless required.
    • Block Interactive Logins by Creating a Conditional Access Policy:
    • Block sign-in for this account.
    • Exclude from MFA for non-interactive authentication.
    • Disable sign-in via Entra ID User Properties (if applicable).
    • Authenticate Without MFA:
    • App Password: If using legacy authentication, generate an app password in Security Info.
    • OAuth 2.0 Client Credentials: Use App Registration + Secret/Certificate for secure API access.

    If the answer is helpful, please click yes to Accept Answer. If you have extra questions about this answer, please click "Comment"

    Regards,
    Fady
    fadysamy.com

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.