We are delighted to announce the public preview for Azure AD Identity Protection for workload identities! This work comes from working with our customers as we apply all we’ve learned from protecting user accounts to workload identities, especially in the context of current attacker behaviors. Purpose-built anomaly detection capabilities for workload identities work with user detections to help protect your entire estate!
As businesses shift to cloud computing, organizations are deploying software workloads (e.g., apps, services, or scripts) that access cloud resources. These have workload identities in Azure AD - applications, managed identities, and service principals.
According to our internal research, organizations typically have five times more software workloads than they have users. Compromised workload identities provide an attacker with a foothold to move laterally inside a victim environment. These attacks are on the rise and our customers are urgently looking to bring the security of these identities in line with those of human users.
Detect and respond to compromised workload identities
To protect valuable resources and data, organizations need the ability to reduce the risk of breach. Azure AD Identity Protection already protects you by detecting users whose credentials have been compromised and sessions which look risky. With this announcement, we’re extending that protection to workload identities with reports of detected anomalous application behavior, including suspicious login patterns and directory changes to help you more quickly detect and remediate attacks.
[Risky workload identity report in Azure AD portal]
Strengthen Zero Trust deployment with risk-based Conditional Access
A key aspect of Zero Trust is to “verify explicitly” and lock down when the system detects an anomaly. It is available to apply a risk-based Conditional Access policy to block access when Identity Protection detects a risky workload identity in Microsoft Graph - support in Azure Portal is coming soon. This means that for all single-tenant applications, you can configure a policy to block on any combination of High, Medium or Low risk (we will address multi-tenant applications in the future).
[Risk level configuration for workload identities in Conditional access]
Export risk data to where you need it
Thousands of our customers use tools outside of the Azure portal to analyze Identity Protection logs. As of today, you can export risk events to the solution of your choice for analysis or long-term storage. Just navigate to Diagnostic Settings to get started.
[Export risky service principals and event associated with service principals]
These new detections and controls are just the beginning - we are committed to the protection of all identities – including workload identities – and stay tuned for more exciting news in this area coming soon. As always, your feedback is a huge part of that. Please visit our Identity Protection for workload identities documentation to learn more and how to start.