Microsoft has released some important updates for its Microsoft Entra workload identities service. The new capabilities are designed to protect workload identities that are vulnerable to security threats such as consent-phishing attacks.
Workload identities are non-human identity aspects (such as virtual machines and containers) that allow an application or a service principal to access a resource. Microsoft has recently rebranded its existing identity and access management solutions as Microsoft Entra. This product family also comes with a new workload identities service that is currently available in public preview.
“They can have access to a company’s most sensitive resources, and can be an attack surface interesting to bad actors – a channel to cause damage or increase susceptibility. Tactics such as consent-phishing can introduce bad apps into organizations, and breached credentials can allow attackers to abuse existing applications and services,” said Ilana Smith , Group Product Manager for Azure Active Directory.
First up, Microsoft is introducing Conditional Access support for workload identities. Up until now, it was only possible to apply conditional access policies to users who wanted to access any apps and services. The feature will enable IT admins to configure policies that specify the conditions that allow a workload to access any resource.
The Redmond giant has also started rolling out new Identity Protection capabilities that allow organizations to detect and block risky workload identities such as leaked credentials and suspicious sign-ins. With this release, IT Pros can now protect applications, managed identities, and service principles in their environments.
Finally, the Azure AD Access Review feature helps organizations to perform a periodic review of highly privileged access to applications and service principles. IT teams can set up and run access reviews from the Azure management portal, and you can find more details on this support page.
Microsoft is also working on a new feature that will allow customers to understand their “workload identity population” in a better way. Additionally, it will let IT admins remove inactive identities that have not been used recently within enterprise networks. This new set of capabilities should help reduce the organization’s attack surface and will be available later this year.