Comparing Service Accounts in MS Entra ID

This post explains the types of service accounts in MS Entra ID, their differences, and best practices for using them.

What are Service Accounts?

Service accounts are non-interactive accounts used primarily by services, applications for authentication to an AD or application.
In Microsoft Entra ID, service accounts are divided into three categories:

Managed identities (System/User – assigned)
Service principal (App regirstration)
Azure user account

Managed Identities

Managed Identities is a feature of Microsoft Entra ID that enables Azure resources to authenticate to cloud services, such as Azure Key Vault and SQL, without the need to hardcode credentials.

Two types of Managed identities are available:

System-assigned Managed Identity: It is linked to a specific Azure resource (such as a Virtual Machine, Logic App, or App Service). It’s generated automatically when the resource is instantiated and deleted after it is destroyed. This identity is specific to the resource, making it easier to manage and protect.
User-assigned Managed Identity: A user-assigned managed identity in Microsoft Entra ID (formerly Azure AD) is an Azure identity explicitly created and managed by the user. In contrast to system-assigned identities tied to a single resource, it can be assigned to multiple Azure resources, enabling secure access to other resources without hardcoding credentials.

System-assigned vs User-assigned managed identities

Property	System-assigned managed identity	User-assigned managed identity
Creation	It is generated as part of an Azure resource.	It is generated independently of an Azure resource.
Lifecycle	Lifecycle is linked to the Azure resource. Managed identities are deleted when the parent resource is deleted.	Lifecycle is independent. It is deleted independently from the parent resource.
Sharing across Azure resources	It can’t shared. It can only linked to a single Azure resource.	It can shared. It can link to more than one Azure resource.
Common use cases	Use System-assigned manged identity to access an azure storage account from an Azure VM.	Use User-assigned managed identity for several resources such as Azure VM, Logic App, and Data factory to access an Azure storage account.

Key benefits of Managed Identities:

Automatic lifecycle management: Identities are created and managed by Azure without user intervention.
Enhanced security: No need to hardcode credentials
Credential-less access: There is no need to manage or rotate credentials manually.
Seamless integration: Managed Identities can authenticate to any service that supports MS Entra ID authentication.

App Registrations (Service Principals)

Microsoft Entra ID application registrations are another type of service account, typically used by third-party or custom applications that have to establish an authenticated connection to the MS Entra ID. When an application is registered, a Service Principal is created, which acts as the application’s ID within the directory.

App Registrations are used for:

Third-party app integrations: Connect external applications or SaaS services to the Microsoft 365 landscape.
Custom apps: When developing an internal application that interacts with Azure services.
Multi-tenant applications: Apps that authenticate users from multiple Microsoft Entra IDs.

App Registrations have three authentication methods:

Client secret: A password-like credential is used for authenticating the application (less secure than Certificate).
Certificate: A more secure authentication approach uses a certificate (public-private key pair).
Federated credential: It enables authentication of external identities (such as from AWS or Google), GitHub actions or workloads running on Kubernetes without using secrets.

App Registrations vs. Managed Identities:

Security: Managed identities do not require saving or managing credentials (such as client secrets), whereas app registrations typically use credentials, which adds the responsibility of securing and rotating these secrets.
Lifecycle management: Managed identities are managed from Azure. On the other hand, application registrations are being created manually, and their lifecycle (such as secret and certificate expiration dates) needs to be maintained.
Scope of use: Managed identities are limited to Azure resources, while app registrations can be used by both internal (custom) and external (third-party) applications.

Azure User Account (used as service accounts)

In general, while you can use any Azure AD user account as a service account, this is considered a security bad practice. That is because there are a few significant disadvantages, such as the human factor, disabled MFA, etc.
This type of accounts are to enable users to get access to MS365, Azure, and DevOps services. It is higly suggested to use MFA, Passwordless authentication, Windows for Business Hello, etc.

This type of account is NOT eligible for use as a service account.

Below are key guidelines for utilizing service accounts with Microsoft Entra ID, aimed at ensuring informed decisions regarding security and manageability:

Service accounts within Microsoft Entra ID are vital components in contemporary IT environments. They secure access to resources and services while enabling automation. A clear understanding of the distinctions between Managed Identities and App Registrations and adherence to best practices will significantly strengthen your identity management strategy, making it both secure and efficient.