As cloud computing becomes more integrated into our daily operations, the importance of securing identities in Azure can’t be overstated. Gone are the days when a strong firewall was enough to protect our networks. With cloud-native services now accessed over the internet, the key to security lies in safeguarding identities and access credentials.
Why should you care about Identities
If you’ve been in a cybersecurity conversation lately, you’ve probably heard someone say, “Identity is the new perimeter.” But what does that mean? In the past, securing the network itself was the focus. Once inside the network, users had access to most, if not all, of the resources. It’s like unlocking the front door of your house—once you’re in, you can roam freely.
Today, with cloud services, this model doesn’t work anymore. Most cloud applications are accessed via the internet, and the only thing standing between an attacker and your data is the strength of your identity security.
The stakes are high. According to the 2024 Microsoft Digital Defense Report, over 600 million identity attacks per day occurred on Microsoft Entra alone. That’s just one platform. Most of these attacks—99%, to be exact—were password-based. These include methods like:
- Password spraying (using common passwords across multiple accounts)
- Breach replay attacks (using credentials stolen from other breaches)
- Phishing campaigns (tricking users into giving up their credentials)
Even Multi-Factor Authentication (MFA), while highly effective, isn’t foolproof. Adversary-in-the-Middle (AiTM) attacks—designed to bypass MFA—have surged by 146% in just the past year.
Types of Identity in Azure
As identity is the thing to secure, you should be familiar with the different type of identities in Azure. Good thing about the variety in identities is that one size never fits all and there are plenty of use cases to consider. Bad thing is that you can compromise the security of a service if you choose poorly.
List of identities here. We´ll focus just on user and service principal identities here:
- User Identity
- Member users – Created and managed within the Entra ID tenant or Active Directory and synced to cloud with Entra ID Connect.
- Guest users – External users invited via Azure AD B2B (Business-to-Business) collaboration to access specific resources.
- Consumer users – Managed through Entra ID B2C for applications requiring customer authentication
- Service principals
- Application based – Application Registrations in Azure
- Managed identities
- User assigned – Created independently of resources and can be assigned to multiple resources.
- System assigned – Automatically created and managed by Azure for a specific resource. When the resource is deleted, the identity is removed.
- Other
- Device Identity – Entra ID registered, Entra ID joined, Hybrid joined devices
- External identities – Federated
- Group identities – Entra ID Security groups and Microsoft 365 Groups
- Role based identities – Azure RBAC roles
- Temporary identities – TAP or temporary access pass
As you can see there are a lot of different types of identities used in Azure. One might argue that a group for example is not an identity but since you can access something based on the group you are in, I’d argue that it is an identity to be guarded just as a normal account should be.
Quick tips to secure Identities
Securing identities doesn’t have to be overwhelming as there are a lot of small things that improve security by a mile. I´ll do a division between normal users and service principals/managed identities, since they work in different roles. Here are some practical steps that have worked well:
Users:
- Enable Multi-Factor Authentication (MFA): If you do one thing, do this. It’s the simplest way to stop password-based attacks in their tracks.
- Use phishing resistant methods to roles that have roles assigned to them
- Explore Passwordless Authentication: Tools like Windows Hello or FIDO2 security keys are becoming easier to implement and provide both security and convenience.
- Use Conditional Access Policies: These allow you to set rules around when and where users can log in. For example, you can block logins from untrusted devices or locations.
- Monitor and Review Regularly: Review guest accounts and app permissions to ensure everything aligns with the principle of least privilege.
- Leverage Azure Identity Tools: Use tools like Microsoft Entra and Azure AD Identity Protection to detect and respond to identity threats before they escalate with functionality like user risk and sign-in risk assessment.
Workload identities:
- Adopt Managed Identities: For apps and services, use Azure-managed identities instead of embedding credentials in your code. This minimizes the risk of credential leaks.
- Use principle of least privileged: It is often the case, that during development, the application or workload identity has a pretty “strong” role just to make development easier and faster. These roles should be minimized before going to production.
- Do not assign owners to Application Registrations: Let´s say that you have a normal user with no roles and that user is owner of an application that has ‘Directory.ReadWrite.All’. The application provides a path to privilege escalation for that user since, as an owner, that user can access the directory through the app. This tip ties closely with the tip above.
- Monitor and Review Regularly: Review guest accounts and app permissions to ensure everything aligns with the principle of least privilege.
Conclusion
Securing Azure identities isn’t just a technical task—it’s a mindset shift. As attackers get smarter and more relentless, we need to focus on identities as the foundation of our security strategies. It’s not just about protecting the data but ensuring our teams can work securely and confidently in the cloud. We provide assessments so you can get a clear picture of your environments current situation and consultation on top of that to gain control of the processes related to identities and a lot more!
Identity is the new perimeter, and securing it is our best chance to stay ahead of the curve. With Microsoft’s robust tools and a clear strategy, we can do just that.
Check my post about securing PaaS resources: Securing Azure PaaS Resources With Network Security Perimeter
Leave a Reply