Three Microsoft Workload Identities Capabilities Now at Production Use Stage

Three capabilities in the Microsoft Entra Workload Identities service are "ready now for production use," according to a Thursday Microsoft announcement.

Workload Identities is Microsoft's newest Azure Active Directory identity and access management services product addition. It's concerned with the non-human identity and access processes that occur when apps and services get used.

Last month, Microsoft rebranded all of its Azure AD identity and access management services under the "Microsoft Entra" name. The rebrand also includes the new Workload Identities addition, which has been described as being at the preview stage.

Here are the three capabilities of the Workload Identities service that Microsoft indicated were ready for use by organizations:

The announcement stopped short of using the words, "general availability," which is Microsoft's usual signal that a software release is deemed OK for commercial use.

Workload Identities, part of the Azure Active Directory Identity Protection service, has been at the preview stage since February. Presumably, that's still the case, even if some of its capabilities are now deemed production ready.

The Trouble with Service Accounts
Managing the workload identities generated by applications and services, typically called "service accounts," is "less predictable" than overseeing human identities, the announcement argued.

Moreover, organizations tend to have "five times more software workloads than they have users," noted Alex Weinert, Microsoft's director of identity security, back in Microsoft's February announcement.

Consequently, Microsoft is specifically focusing on those less predictable identity and security issues with its budding Workload Identities product.

By "workload identities," Microsoft specifically is referring to non-human identity aspects associated with the use of apps and services, which can include things like containers and virtual machines.

Microsoft illustrated how workload identities fit into overall identity and access management scenarios in the following diagram:

[Click on image for larger view.] Figure 1. Microsoft's concept of machine vs. human identities, with "workload identities" representing the software aspect of machine identities (source: "What Are Workload Identities" Microsoft document, accessed June 10, 2022).

Organizations may have "an app that enables a web app to access Microsoft Graph based on admin or user consent," which is one scenario where Microsoft's Workload Identities protective capabilities may be used, according to the "What are Workload Identities" document. Microsoft solutions can address "tactics such as consent-phishing," which "can introduce bad apps into organizations," the announcement noted.

A consent phishing attack attempts to "trick users into granting permissions to malicious cloud apps," Microsoft explained, in this "Protecting Against Consent Phishing" document.

Coming Workloads Identities Capability
Microsoft next efforts with its Workloads Identities product will be to "enable organizations to better understand their workload identity population." With this coming unnamed product capability, it'll be possible to "remove identities that have not be used recently," thereby reducing an organization's attack surface, the announcement promised.

"Just like with user identities, this new set of capabilities will be licensed at a per-identity level, which will allow organizations to tailor their use to the workload identities they need to protect," the announcement indicated. "This new offering will be available for purchase later this year."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube