There are three types of service accounts in Microsoft Entra ID: managed identities, service principals, and user accounts employed as service accounts. When you create service accounts for automated use, they're granted permissions to access resources in Azure and Microsoft Entra ID. Resources can include Microsoft 365 services, software as a service (SaaS) applications, custom applications, databases, HR systems, and so on. Governing Microsoft Entra service account is managing creation, permissions, and lifecycle to ensure security and continuity.
We do not recommend user accounts as service accounts because they are less secure. This includes on-premises service accounts synced to Microsoft Entra ID, because they aren't converted to service principals. Instead, we recommend managed identities, or service principals, and the use of Conditional Access.
Before creating a service account, or registering an application, document the service account key information. Use the information to monitor and govern the account. We recommend collecting the following data and tracking it in your centralized Configuration Management Database (CMDB).
Data
Description
Details
Owner
User or group accountable for managing and monitoring the service account
Grant the owner permissions to monitor the account and implement a way to mitigate issues. Issue mitigation is done by the owner, or by request to an IT team.
Purpose
How the account is used
Map the service account to a service, application, or script. Avoid creating multiuse service accounts.
Permissions (Scopes)
Anticipated set of permissions
Document the resources it accesses and permissions for those resources
CMDB Link
Link to the accessed resources, and scripts in which the service account is used
Document the resource and script owners to communicate the effects of change
Risk assessment
Risk and business effect, if the account is compromised
Use the information to narrow the scope of permissions and determine access to information
Period for review
The cadence of service account reviews, by the owner
Review communications and reviews. Document what happens if a review is performed after the scheduled review period.
Lifetime
Anticipated maximum account lifetime
Use this measurement to schedule communications to the owner, disable, and then delete the accounts. Set an expiration date for credentials that prevents them from rolling over automatically.
Name
Standardized account name
Create a naming convention for service accounts to search, sort, and filter them
Principle of least privileges
Grant the service account permissions needed to perform tasks, and no more. If a service account needs high-level permissions, evaluate why and try to reduce permissions.
We recommend the following practices for service account privileges.
Get-MgDirectoryRoleMember, and filter for objectType "Service Principal", or use Get-MgServicePrincipal | % { Get-MgServicePrincipalAppRoleAssignment -ObjectId $_ }
Service principals and managed identities can use Open Authorization (OAuth) 2.0 scopes in a delegated context impersonating a signed-on user, or as service account in the application context. In the application context, no one is signed in.
Confirm the scopes service accounts request for resources
If an account requests Files.ReadWrite.All, evaluate whether it needs File.Read.All
Use a managed identity when possible. If you can't use a managed identity, use a service principal. If you can't use a service principal, then use a Microsoft Entra user account.
Build a lifecycle process
A service account lifecycle starts with planning, and ends with permanent deletion. The following sections cover how you monitor, review permissions, determine continued account usage, and ultimately deprovision the account.
Monitor service accounts
Monitor your service accounts to ensure usage patterns are correct, and that the service account is used.
Use the following screenshot to see service principal sign-ins.
Sign-in log details
Look for the following details in sign-in logs.
Service accounts not signed in to the tenant
Changes in sign-in service account patterns
We recommend you export Microsoft Entra sign-in logs, and then import them into a security information and event management (SIEM) tool, such as Microsoft Sentinel. Use the SIEM tool to build alerts and dashboards.
Review service account permissions
Regularly review service account permissions and accessed scopes to see whether they can be reduced or eliminated.