|
| 1 | +--- |
| 2 | +title: Securing workload identities with Azure AD Identity Protection |
| 3 | +description: Workload identity risk in Azure Active Directory Identity Protection |
| 4 | + |
| 5 | +services: active-directory |
| 6 | +ms.service: active-directory |
| 7 | +ms.subservice: identity-protection |
| 8 | +ms.topic: conceptual |
| 9 | +ms.date: 02/07/2022 |
| 10 | + |
| 11 | +ms.author: joflore |
| 12 | +author: MicrosoftGuyJFlo |
| 13 | +manager: karenhoran |
| 14 | +ms.reviewer: etbasser |
| 15 | + |
| 16 | +ms.collection: M365-identity-device-management |
| 17 | +--- |
| 18 | +# Securing workload identities with Identity Protection |
| 19 | + |
| 20 | +Azure AD Identity Protection has historically protected users in detecting, investigating, and remediating identity-based risks. We're now extending these capabilities to workload identities to protect applications, service principals, and Managed Identities. |
| 21 | + |
| 22 | +A workload identity is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they: |
| 23 | + |
| 24 | +- Can’t perform multi-factor authentication. |
| 25 | +- Often have no formal lifecycle process. |
| 26 | +- Need to store their credentials or secrets somewhere. |
| 27 | + |
| 28 | +These differences make workload identities harder to manage and put them at higher risk for compromise. |
| 29 | + |
| 30 | +> [!IMPORTANT] |
| 31 | +> In public preview, you can secure workload identities with Identity Protection and Azure Active Directory Premium P2 edition active in your tenant. After general availability, additional licenses might be required. |
| 32 | +
|
| 33 | +## Prerequisites |
| 34 | + |
| 35 | +To make use of workload identity risk, including the new **Risky workload identities (preview)** blade and the **Workload identity detections** tab in the **Risk detections** blade, in the Azure portal you must have the following. |
| 36 | + |
| 37 | +- Azure AD Premium P2 licensing |
| 38 | +- One of the following administrator roles assigned |
| 39 | + - Global administrator |
| 40 | + - Security administrator |
| 41 | + - Security operator |
| 42 | + - Security reader |
| 43 | + |
| 44 | +## Workload identity risk detections |
| 45 | + |
| 46 | +We detect risk on workload identities across sign-in behavior and offline indicators of compromise. |
| 47 | + |
| 48 | +| Detection name | Detection type | Description | |
| 49 | +| --- | --- | --- | |
| 50 | +| Azure AD threat intelligence | Offline | This risk detection indicates some activity that is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources. | |
| 51 | +| Suspicious Sign-ins | Offline | This risk detection indicates sign-in properties or patterns that are unusual for this service principal. <br><br> The detection learns the baselines sign-in behavior for workload identities in your tenant in between 2 and 60 days, and fires if one or more of the following unfamiliar properties appear during a later sign-in: IP address / ASN, target resource, user agent, hosting/non-hosting IP change, IP country, credential type. <br><br> Because of the programmatic nature of workload identity sign-ins, we provide a timestamp for the suspicious activity instead of flagging a specific sign-in event. <br><br> Sign-ins that are initiated after an authorized configuration change may trigger this detection. | |
| 52 | +| Admin confirmed account compromised | Offline | This detection indicates an admin has selected 'Confirm compromised' in the Risky Workload Identities UI or using riskyServicePrincipals API. To see which admin has confirmed this account compromised, check the account’s risk history (via UI or API). | |
| 53 | + |
| 54 | +## Identify risky workload identities |
| 55 | + |
| 56 | +Organizations can find workload identities that have been flagged for risk in one of two locations: |
| 57 | + |
| 58 | +1. Navigate to the [Azure portal](https://portal.azure.com). |
| 59 | +1. Browse to **Azure Active Directory** > **Security** > **Risky workload identities (preview)**. |
| 60 | +1. Or browse to **Azure Active Directory** > **Security** > **Risk detections**. |
| 61 | + 1. Select the **Workload identity detections** tab. |
| 62 | + |
| 63 | +:::image type="content" source="media/concept-workload-identity-risk/workload-identity-detections-in-risk-detections-report.png" alt-text="Screenshot showing risks detected against workload identities in the report." lightbox="media/concept-workload-identity-risk/workload-identity-detections-in-risk-detections-report.png"::: |
| 64 | + |
| 65 | +### Graph APIs |
| 66 | + |
| 67 | +You can also query risky workload identities [using the Microsoft Graph API](/graph/use-the-api). There are two new collections in the [Identity Protection APIs](/graph/api/resources/identityprotection-root?view=graph-rest-beta&preserve-view=true) |
| 68 | + |
| 69 | +- riskyServicePrincipals |
| 70 | +- servicePrincipalRiskDetections |
| 71 | + |
| 72 | +### Export risk data |
| 73 | + |
| 74 | +Organizations can export data by configurating [diagnostic settings in Azure AD](howto-export-risk-data.md) to send risk data to a Log Analytics workspace, archive it to a storage account, stream it to an event hub, or send it to a SIEM solution. |
| 75 | + |
| 76 | +## Investigate risky workload identities |
| 77 | + |
| 78 | +Identity Protection provides organizations with two reports they can use to investigate workload identity risk. These reports are the risky workload identities, and risk detections for workload identities. All reports allow for downloading of events in .CSV format for further analysis outside of the Azure portal. |
| 79 | + |
| 80 | +Some of the key questions to answer during your investigation include: |
| 81 | + |
| 82 | +- Do accounts show suspicious sign-in activity? |
| 83 | +- Have there been unauthorized changes to the credentials? |
| 84 | +- Have there been suspicious configuration changes to accounts? |
| 85 | +- Did the account acquire unauthorized application roles? |
| 86 | + |
| 87 | +The [Azure Active Directory security operations guide for Applications](../fundamentals/security-operations-applications.md) provides detailed guidance on the above investigation areas. |
| 88 | + |
| 89 | +Once you determine if the workload identity was compromised, dismiss the account’s risk or confirm the account as compromised in the Risky workload identities (preview) report. You can also select “Disable service principal” if you want to block the account from further sign-ins. |
| 90 | + |
| 91 | +:::image type="content" source="media/concept-workload-identity-risk/confirm-compromise-or-dismiss-risk.png" alt-text="Confirm workload identity compromise or dismiss the risk in the Azure portal." lightbox="media/concept-workload-identity-risk/confirm-compromise-or-dismiss-risk.png"::: |
| 92 | + |
| 93 | +## Remediate risky workload identities |
| 94 | + |
| 95 | +1. Inventory credentials assigned to the risky workload identity, whether for the service principal or application objects. |
| 96 | +1. Add a new credential. Microsoft recommends using x509 certificates. |
| 97 | +1. Remove the compromised credentials. If you believe the account is at risk, we recommend removing all existing credentials. |
| 98 | +1. Remediate any Azure KeyVault secrets that the Service Principal has access to by rotating them. |
| 99 | + |
| 100 | +The [Azure AD Toolkit](https://github.com/microsoft/AzureADToolkit) is a PowerShell module that can help you perform some of these actions. |
| 101 | + |
| 102 | +## Next steps |
| 103 | + |
| 104 | +- [Conditional Access for workload identities](../conditional-access/workload-identity.md) |
| 105 | +- [Microsoft Graph API](/graph/use-the-api) |
| 106 | +- [Azure AD audit logs](../reports-monitoring/concept-audit-logs.md) |
| 107 | +- [Azure AD sign-in logs](../reports-monitoring/concept-sign-ins.md) |
0 commit comments