Your quick guide to securing non-human identities

The rise of automation and cloud adoption has made non-human identities critical in IT ecosystems.

Yet, while organisations secure human users with multi-factor authentication (MFA) and password policies, non-human identities are often neglected.

This oversight leaves them vulnerable to weak credentials, outdated protocols, and privileged access, making them prime targets for attackers and a compliance risk.

In this article, we explore the risks and share advice on securing non-human identities as part of your overall identity and access management (IAM) strategy.

The growing risk of non-human identities

Non-human (workload) identities exist throughout IT environments, typically outnumbering human ones 10:1 [Microsoft].

Many organisations struggle to manage this growth, leading to risks like:

• Identity sprawl: Unmanaged identities become easy targets.
• Weak security: Basic credentials lack protections like MFA.
• Legacy protocols: Outdated systems, such as those using SMTP, create security gaps.

These risks are amplified by the elevated privileges often associated with non-human identities.

Compromised privileged accounts enable attackers to move laterally, leading to:

• Expanded attack surface: Unsecured accounts bypass human-focused controls.
• Compliance breaches: Regulations like CAF demand proper identity management, including non-human accounts.
• Operational disruption: Breached IoT devices or automated systems can cause outages or enable DDoS attacks.

How to secure non-human identities

Understanding the risks is one thing. But what can we do to mitigate them?

In this section we offer some practical steps you can take by utilising the tools available within the Microsoft ecosystem.

1. Audit of machine authentication

Initial audit steps

Begin by auditing existing machine identities and authentication methods.

Microsoft Entra sign-in logs:

• Use these logs to identify service accounts and workload users. Ideally service accounts would be prefixed with something like ‘svc’, this isn’t always the case. Filtering and pattern analysis is critical for identifying accounts with higher risks..
• Look for detailed records of authentication attempts to understand account activity and usage.
• Filter by legacy authentication or single-factor authentication to uncover vulnerable accounts.
• Detect unusual access patterns that may indicate security risks.
• Bear in mind that some apps and services may be stale or unused, and could be due for removal.

Roles and Administrators in Microsoft Entra ID:

• Review privileged roles and the accounts assigned to them.
• Ensure that accounts in these roles comply with multi-factor authentication (MFA) requirements.
• Identify any privileged accounts that may disrupt services when MFA is enforced.

Discover unmanaged devices

Use Microsoft Defender for IoT to:

• Identify unmanaged devices on your network that may not be part of your current identity management framework.
• Gain visibility into all connected devices and their security status.

Service principal access reviews

Conduct access reviews to:

• Detect machine identities already running as service principals.
• Apply further controls, such as Conditional Access, to these accounts.

Microsoft Entra recommendations

• Remove unused applications: This will show up if your tenant has applications not used for more than 90 days.
• Remove unused credentials from apps: This will be highlighted if a credential has not been used for more than 30 days.

Please note that service principle access reviews and Entra recommendations require Workload ID Premium licensing, an important consideration when planning your approach.

Discover permissions across multi-cloud

As organisations increasingly operate in multi-cloud environments, it’s essential to ensure permissions are managed everywhere. With Microsoft Entra Permissions Management, you can:

• Audit and review what permissions are in use across Azure, AWS, and Google Cloud Platform.
• View the ‘Permission Creep Index’ for identities, highlighting overprivileged users (i.e. permissions used v assigned).

Please note that Microsoft Entra Permissions Management requires additional licencing beyond your Entra or M365 E5 licences, and should be factored into your strategy planning.

2. Best practice management of non-human identities

Once you have identified the machine identities requiring protection, implement secure authentication and management practices.

Remove unused accounts

• Using insights from Entra recommendations and Entra Permissions Management, tidy up and remove any unused applications or services.

Identity management

Service principals:

• Service principals act as the local representation of a global application object within a tenant.
• Authenticate using either:
  • Client secrets (not recommended): Functionally similar to passwords so not secure nor recommended.
  • Certificates (recommended): These provide stronger security by eliminating reusable passwords.

Managed identities:

• A specialised type of service principal designed for Azure resources.
• Managed identities remove the need to manage credentials, enabling secure, automatic authentication to Microsoft Entra-protected resources.

Permission remediation

• Using Entra Permissions Management, roles can be ‘right-sized’ by creating new roles based on actual permissions used.
• Automatically deletes permissions unused for 90 days.

Conditional Access and advanced controls

Implement Conditional Access policies to:

• Define trusted locations.
• Leverage user and sign-in risk analysis using Microsoft Entra ID Protection.
• Please note: Workload ID Premium licensing (PUPM model above M365 E5) is needed for advanced Conditional Access controls.

Continuous monitoring

• Monitor Entra recommendations for any new alerts.
• Use Defender for Cloud Apps to alert on certain activities or sign-ins.
• Use Entra Permissions Management to alert on anomalous behaviour and permission assignment.
• Use Defender for IoT to continue to assess devices.

By using managed identities or service principals, the risks associated with leaked credentials or password spray attacks are significantly reduced. Security is further bolstered through the addition of Conditional Access.

3. Dealing with unsupported services (your plan B)

For services that cannot use managed identities or service principals, fallback strategies are required:

Traditional user accounts:

• Lock down accounts with Conditional Access policies, such as specific IP address restrictions.
• Monitor and alert on activity using tools like Defender for Cloud Apps, Microsoft Entra Permissions Management, or a SIEM like Microsoft Sentinel.

Encouraging modern authentication:

• Work with vendors to adopt updated authentication methods that support secure integrations.
• Ensure company IAM policies mandate that any new services meet these requirements.

Final thoughts

A lot is spoken of identity management as the bedrock of modern security strategies. Organisations therefore need to remember that this means ALL identities, not just the human ones.

Non-human identities play a large and vital role in modern IT systems, enabling automation and innovation. But without robust security measures they have the potential to pose serious weak spots in your security posture.

That’s why we advocate our clients deploy a strategy of robust auditing through Microsoft Entra and Entra Permissions Management, secure identity management, and the leveraging of advanced tools like Conditional Access and ID Protection.

Of course, we appreciate that busy IT teams are all too often overworked and under-resourced. Or maybe unsure of exactly where and how to get started.

That’s what we’re here to help with. So please do get in touch and find out how we can help ensure your human and non-human identities are working securely and productively.

Key takeaways

Next steps

If you liked this, please share on your social channels.