With identity management being crucial in organisations, Microsoft Entra ID (formerly Azure Active Directory) is a must have for managing access to many services and resources. One of the key aspects of managing access is Service Accounts. These special accounts are used by applications or services to authenticate and do automated tasks without any manual intervention.
In this post, I’ll try to explain the types of service accounts in MS Entra ID, the differences and best practices when using them.
What are Service Accounts?
In Microsoft Entra ID, service accounts are divided into three categories:
- Managed identities (System/User – assigned)
- Service principal (App regirstration)
- Azure user account
Managed Identities
Managed Identities are a Microsoft Entra ID feature that allows Azure resources to authenticate to cloud services (like Azure Key Vault, SQL, etc.) without hardcoding credentials.
Two types of Managed identities are available:
- System-assigned Managed Identity: It is linked to a specific Azure resource (such as a Virtual Machine, Logic App, or App Service). It’s generated automatically when the resource is instantiated and deleted after it is destroyed. This identity is specific to the resource, making it easier to manage and protect.
- User-assigned Managed Identity: A user-assigned managed identity in Microsoft Entra ID (formerly Azure AD) is an Azure identity explicitly created and managed by the user. In contrast to system-assigned identities tied to a single resource, it can be assigned to multiple Azure resources, enabling secure access to other resources without hardcoding credentials.
System-assigned vs User-assigned managed identities
Property | System-assigned managed identity | User-assigned managed identity |
Creation | It is generated as part of an Azure resource. | It is generated independently of an Azure resource. |
Lifecycle | Lifecycle is linked to the Azure resource. Managed identities are deleted when the parent resource is deleted. | Lifecycle is independent. It is deleted independently from the parent resource. |
Sharing across Azure resources | It can’t shared. It can only linked to a single Azure resource. | It can shared. It can link to more than one Azure resource. |
Common use cases | Use System-assigned manged identity to access an azure storage account from an Azure VM. | Use User-assigned managed identity for several resources such as Azure VM, Logic App, and Data factory to access an Azure storage account. |
Key benefits of Managed Identities:
- Automatic lifecycle management: Identities are created and managed by Azure without user intervention.
- Enhanced security: No need to hardcode credentials
- Credential-less access: There is no need to manage or rotate credentials manually.
- Seamless integration: Managed Identities can authenticate to any service that supports MS Entra ID authentication.
App Registrations (Service Principals)
Microsoft Entra ID application registrations are another type of service account, typically used by third-party or custom applications that have to establish an authenticated connection to the MS Entra ID. When an application is registered, a Service Principal is created, which acts as the application’s ID within the directory.
App Registrations are used for:
- Third-party app integrations: Connect external applications or SaaS services to the Microsoft 365 landscape.
- Custom apps: When developing an internal application that interacts with Azure services.
- Multi-tenant applications: Apps that authenticate users from multiple Microsoft Entra IDs.
App Registrations have three authentication methods:
- Client secret: A password-like credential is used for authenticating the application (less secure than Certificate).
- Certificate: A more secure authentication approach uses a certificate (public-private key pair).
- Federated credential: It enables authentication of external identities (such as from AWS or Google), GitHub actions or workloads running on Kubernetes without using secrets.
App Registrations vs. Managed Identities:
- Security: Managed identities do not require saving or managing credentials (such as client secrets), whereas app registrations typically use credentials, which adds the responsibility of securing and rotating these secrets.
- Lifecycle management: Managed identities are managed from Azure. On the other hand, application registrations are being created manually, and their lifecycle (such as secret and certificate expiration dates) needs to be maintained.
- Scope of use: Managed identities are limited to Azure resources, while app registrations can be used by both internal (custom) and external (third-party) applications.
Azure User Account (used as service accounts)
In general, while you can use any Azure AD user account as a service account, this is considered a security bad practice. That is because there are a few significant disadvantages, such as the human factor, disabled MFA, etc.
This type of accounts are to enable users to get access to MS365, Azure, and DevOps services. It is higly suggested to use MFA, Passwordless authentication, Windows for Business Hello, etc.
This type of account is NOT eligible for use as a service account.
Here are some guidelines for using service accounts with Microsoft Entra ID to ensure you’re making the best security and manageability decisions:
Service accounts within Microsoft Entra ID represent one of the most critical components in today’s IT setup because they support resources and services in granting access securely with automation. Understanding the differences between Managed Identities and App Registrations, apart from best practices, will go a long way in enhancing your identity management strategy to be secure and efficient.