How to secure your non-human identities

Non-human identities outnumber human users 10:1 in most IT environments, yet they often fall short when it comes to robust security and protection.

While organisations focus on MFA and password policies for human users, non-human identities like service accounts, automation scripts, and IoT devices are frequently overlooked.

This leaves them vulnerable to attack, with risks including weak credentials, outdated protocols, and excessive privileges.

A single breach could enable attackers to move laterally, bypass controls, and cause major disruption.

Acknowledging the risk is one thing. But what can we do to mitigate them?

In this guide, we’ll show you.?

1. Audit of machine authentication

Begin by auditing existing machine identities and authentication methods.

Microsoft Entra sign-in logs:

• Use these logs to identify service accounts and workload users
• Look for detailed records of authentication attempts to understand account activity and usage.
• Filter by legacy authentication or single-factor authentication to uncover vulnerable accounts.
• Detect unusual access patterns that may indicate security risks.
• Bear in mind that some apps and services may be stale or unused, and could be due for removal.

Roles and Administrators in Microsoft Entra ID:

• Review privileged roles and the accounts assigned to them.
• Ensure that accounts in these roles comply with multi-factor authentication (MFA) requirements.
• Identify any privileged accounts that may disrupt services when MFA is enforced.

Discover unmanaged devices – Use Microsoft Defender for IoT to:

• Identify unmanaged devices on your network that may not be part of your current identity management framework.
• Gain visibility into all connected devices and their security status.

Service principal access reviews

Conduct access reviews to:

• Detect machine identities already running as service principals.
• Apply further controls, such as Conditional Access, to these accounts.

Microsoft Entra recommendations

• Remove unused applications: This will show up if your tenant has applications not used for more than 90 days.
• Remove unused credentials from apps: This will be highlighted if a credential has not been used for more than 30 days.

Please note that service principle access reviews and Entra recommendations require Workload ID Premium licensing, an important consideration when planning your approach.

Discover permissions across multi-cloud

As organisations increasingly operate in multi-cloud environments, it’s essential to ensure permissions are managed everywhere. With Microsoft Entra Permissions Management, you can:

• Audit and review what permissions are in use across Azure, AWS, and Google Cloud Platform.
• View the ‘Permission Creep Index’ for identities, highlighting overprivileged users (i.e. permissions used v assigned).

Please note that Microsoft Entra Permissions Management requires additional licencing beyond your Entra or M365 E5 licences, and should be factored into your strategy planning.

2. Best practice management of non-human identities

Once you have identified the machine identities requiring protection, implement secure authentication and management practices.

Remove unused accounts

• Using insights from Entra recommendations and Entra Permissions Management, tidy up and remove any unused applications or services.

Identity management

Service principals act as the local representation of a global application object within a tenant.

Authenticate using either:

• Client secrets (not recommended): Functionally similar to passwords so not secure nor recommended.
• Certificates (recommended): These provide stronger security by eliminating reusable passwords.

Managed identities:

• A specialised type of service principal designed for Azure resources.
• Managed identities remove the need to manage credentials, enabling secure, automatic authentication to Microsoft Entra-protected resources.

Permission remediation

• Using Entra Permissions Management, roles can be ‘right-sized’ by creating new roles based on actual permissions used.
• Automatically deletes permissions unused for 90 days.

Conditional Access and advanced controls

Implement Conditional Access policies to:

• Define trusted locations.
• Leverage user and sign-in risk analysis using Microsoft Entra ID?Protection.
• Please note: Workload ID Premium licensing (PUPM model above M365 E5) is needed for advanced Conditional Access controls.

Continuous monitoring

• Monitor Entra recommendations for any new alerts.
• Use Defender for Cloud Apps to alert on certain activities or sign-ins.
• Use Entra Permissions Management to alert on anomalous behaviour and permission assignment.
• Use Defender for IoT to continue to assess devices.

By using managed identities or service principals, the risks associated with leaked credentials or password spray attacks are significantly reduced. Security is further bolstered through the addition of Conditional Access.

3. Dealing with unsupported services (your plan B)

For services that cannot use managed identities or service principals, fallback strategies are required:

Traditional user accounts:

• Lock down accounts with Conditional Access policies, such as specific IP address restrictions.
• Monitor and alert on activity using tools like Defender for Cloud Apps, Microsoft Entra Permissions Management, or a SIEM like Microsoft Sentinel.

Encouraging modern authentication:

• Work with vendors to adopt updated authentication methods that support secure integrations.
• Ensure company IAM policies mandate that any new services meet these requirements.

Final thoughts

A lot is spoken of identity management as the bedrock of modern security strategies. Organisations therefore need to remember that this means ALL identities, not just the human ones.

Non-human identities play a large and vital role in modern IT systems, enabling automation and innovation. But without robust security measures they have the potential to pose serious weak spots in your security posture.

That’s why we advocate our clients deploy a strategy of robust auditing through Microsoft Entra and Entra Permissions Management, secure identity management, and the leveraging of advanced tools like Conditional Access and ID Protection.

Of course, we appreciate that busy IT teams are all too often overworked and under-resourced. Or maybe unsure of exactly where and how to get started.

That’s why we’re here to help. So please do get in touch and find out how we can help ensure your human and non-human identities are working securely and productively.