Azure AD – Identity Protection has been extended to also covers workload identities (preview)

As you may already know, Azure AD comes with the Identity Protection feature which helps you identify risky sign-ins and/or users; even if you don’t have an Azure AD P2, which is requires to configure the Identity Protection policies, you have the risky reports available.

Well, until now, the Identity Protection was covering only user sign-in activities.

Good news, Identity Protection has been extended to also covers workload identities – aka service principals, aka Azure AD applications.

You can start using this new reporting capability by logging on your Azure AD portal (https://aad.portal.azure.com/) and access the Azure Active Directory\Security\Risky workload identities blade

The following risks are being detected by Identity Protection for workloads:

Detection type	Detection type	Description
Azure AD threat intelligence	Offline	This risk detection indicates some activity that is consistent with known attack patterns based on Microsoft’s internal and external threat intelligence sources.
Suspicious Sign-ins	Offline	This risk detection indicates sign-in properties or patterns that are unusual for this service principal. The detection learns the baselines sign-in behavior for workload identities in your tenant in between 2 and 60 days, and fires if one or more of the following unfamiliar properties appear during a later sign-in: IP address / ASN, target resource, user agent, hosting/non-hosting IP change, IP country, credential type. Because of the programmatic nature of workload identity sign-ins, we provide a timestamp for the suspicious activity instead of flagging a specific sign-in event. Sign-ins that are initiated after an authorized configuration change may trigger this detection.
Unusual addition of credentials to an OAuth app	Offline	This detection is discovered by Microsoft Defender for Cloud Apps. This detection identifies the suspicious addition of privileged credentials to an OAuth app. This can indicate that an attacker has compromised the app, and is using it for malicious activity.
Admin confirmed account compromised	Offline	This detection indicates an admin has selected ‘Confirm compromised’ in the Risky Workload Identities UI or using riskyServicePrincipals API. To see which admin has confirmed this account compromised, check the account’s risk history (via UI or API).

According to the documentation, this seems requiring an Azure AD P2 license.

You can also now use the status of the Identity Protection for workloads in Conditional Access by selecting Workload identities when assigning the Conditional Access rule

By selecting Workload identities for assignment you will then be able to either include either All owned service principals and selected ones

NOTE when choosing “Selected service principals” the search list does not provide all the service principals, you will have to search for the one(s) you want to include

Related Posts

Leave a Comment Cancel Reply