Three Microsoft Workload Identities Capabilities Now at 'Production' Use Stage -- Redmondmag.com

Three Microsoft Workload Identities Capabilities Now at Production Use Stage

By Kurt Mackie
06/10/2022

Three capabilities in the Microsoft Entra Workload Identities service are "ready now for production use," according to a Thursday Microsoft announcement.

Workload Identities is Microsoft's newest Azure Active Directory identity and access management services product addition. It's concerned with the non-human identity and access processes that occur when apps and services get used.

Last month, Microsoft rebranded all of its Azure AD identity and access management services under the "Microsoft Entra" name. The rebrand also includes the new Workload Identities addition, which has been described as being at the preview stage.

Here are the three capabilities of the Workload Identities service that Microsoft indicated were ready for use by organizations:

Conditional Access for workload identities, which allows you to set policies defining the conditions under which a workload may access a resource, such as the IP range. 
Identity Protection for workload identities, which helps you identify (and potentially block) risky workload identities, based on anomalous behavior or other signals.
Access Reviews for workload identities assigned to privileged roles, which allows you to keep a close eye on highly privileged access.

The announcement stopped short of using the words, "general availability," which is Microsoft's usual signal that a software release is deemed OK for commercial use.

Workload Identities, part of the Azure Active Directory Identity Protection service, has been at the preview stage since February. Presumably, that's still the case, even if some of its capabilities are now deemed production ready.

The Trouble with Service Accounts
Managing the workload identities generated by applications and services, typically called "service accounts," is "less predictable" than overseeing human identities, the announcement argued.

Moreover, organizations tend to have "five times more software workloads than they have users," noted Alex Weinert, Microsoft's director of identity security, back in Microsoft's February announcement.

Consequently, Microsoft is specifically focusing on those less predictable identity and security issues with its budding Workload Identities product.

By "workload identities," Microsoft specifically is referring to non-human identity aspects associated with the use of apps and services, which can include things like containers and virtual machines.

Microsoft illustrated how workload identities fit into overall identity and access management scenarios in the following diagram:

**[Click on image for larger view.]** *Figure 1.* Microsoft's concept of machine vs. human identities, with "workload identities" representing the software aspect of machine identities (source: "What Are Workload Identities" Microsoft document, accessed June 10, 2022).

Organizations may have "an app that enables a web app to access Microsoft Graph based on admin or user consent," which is one scenario where Microsoft's Workload Identities protective capabilities may be used, according to the "What are Workload Identities" document. Microsoft solutions can address "tactics such as consent-phishing," which "can introduce bad apps into organizations," the announcement noted.

A consent phishing attack attempts to "trick users into granting permissions to malicious cloud apps," Microsoft explained, in this "Protecting Against Consent Phishing" document.

Coming Workloads Identities Capability
Microsoft next efforts with its Workloads Identities product will be to "enable organizations to better understand their workload identity population." With this coming unnamed product capability, it'll be possible to "remove identities that have not be used recently," thereby reducing an organization's attack surface, the announcement promised.

"Just like with user identities, this new set of capabilities will be licensed at a per-identity level, which will allow organizations to tailor their use to the workload identities they need to protect," the announcement indicated. "This new offering will be available for purchase later this year."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Exchange Server Subscription Edition Coming Next Year

Microsoft provided a brief update on Tuesday of its Exchange Server roadmap, including the news that Exchange Server Subscription Edition (SE) will be arriving in the third quarter of 2025.
Biden Administration Releases Global Cybersecurity Initiative

The U.S. Department of State has released a comprehensive cybersecurity framework aimed at international cooperation when targeting cybercriminals and strengthening defenses.
Microsoft Purview Enhanced with AI Security and Compliance Hooks

Microsoft Purview, the company's data governance solution, is receiving a handful of upgrades to help enterprises securely manage their growing AI-related data.
Hardening Gen AI Application Security with Microsoft Defender for Cloud

Among the avalanche of security announcements this week, Microsoft has kicked off the first day of RSAC 2024 by unveiling new capabilities to protect Gen AI applications in the enterprise with Microsoft Defender for Cloud.
Microsoft Bringing Zero Trust to DNS Security

Microsoft has announced that Zero Trust DNS (ZTDNS), which aims to restrict device access to untrusted domains in Windows, is currently in private preview.