This chapter covers workload identities and service principals in Microsoft Entra ID, a critical topic for the SC-900 exam. You will learn how non-human entities like applications, services, and automation tools authenticate and access resources securely. This area represents approximately 10-15% of the Identity Access domain questions, often appearing in scenarios about managed identities, service principals, and application permissions. Understanding the distinction between workload identities and user identities, and how service principals are created and used, is essential for passing the exam and for real-world identity management.
Jump to a section
Imagine a large office building where human employees use their personal badges to enter and access rooms. Now consider automated robots that deliver packages, clean floors, and run servers. These robots cannot carry a human badge—they need their own machine-readable credentials. In Microsoft Entra ID, workload identities are like those robot employees: they are non-human identities for apps, services, and automation tools that need to authenticate and access resources. A service principal is the robot's badge—it's the identity created in Entra ID for each robot (application) that needs to act. When a robot needs to access a locked room (an API or resource), it presents its badge (the service principal) and a secret (a certificate or client secret) to prove its identity. Just as a robot's badge is tied to its role and permissions (e.g., only enter the server room, not HR), a service principal's permissions are assigned via roles in Entra ID. The building's security system (Entra ID) verifies the badge and checks the access control list before granting entry. This analogy makes clear that workload identities are not user accounts—they are purpose-built for automated, non-interactive scenarios, and they follow the same principle of least privilege as human access.
What Are Workload Identities?
Workload identities are identities in Microsoft Entra ID that represent non-human entities such as applications, services, virtual machines, containers, or automation scripts. Unlike user identities (which represent people who authenticate interactively with a username and password or MFA), workload identities authenticate programmatically using secrets, certificates, or managed identities. They are used to grant access to resources like Azure Storage, Microsoft Graph, or custom APIs.
Why Workload Identities Exist
In modern cloud environments, applications and services need to access other resources without human intervention. For example, a web app needs to read from a database, a CI/CD pipeline needs to deploy code to Azure, or a function app needs to write to a blob storage. Using a user account for these tasks is insecure and impractical—user accounts have passwords that expire, are subject to MFA interruptions, and are tied to a person who might leave the organization. Workload identities solve this by providing a secure, non-interactive identity that can be assigned specific permissions and can rotate secrets automatically.
Service Principals: The Core Component
A service principal is the local representation of an application in a specific Entra ID tenant. It is the identity that applications use to authenticate to Azure and access resources. When you register an application in Entra ID, three objects are created: - Application object: The global definition of the application, stored in the home tenant. It contains properties like app ID, reply URLs, and permissions. - Service principal object: The local instance of the application in a tenant. It is this object that is assigned roles and permissions. An application can have multiple service principals (one per tenant). - Managed identity: A special type of service principal automatically managed by Azure, eliminating the need for credential management.
How Service Principals Work
When an application needs to authenticate, it uses its credentials (client secret or certificate) to request an access token from the Microsoft identity platform (Azure AD). The token is issued for a specific resource (e.g., https://graph.microsoft.com). The service principal's permissions are defined by the roles assigned to it (e.g., Azure RBAC roles, app roles, or delegated permissions). The token is then presented to the resource, which validates it and grants access based on the claims.
Types of Service Principals
Application service principal: Created when you register an application. Used for custom apps.
Managed identity service principal: Created automatically when you enable a managed identity on an Azure resource (e.g., VM, App Service, Function).
Legacy service principal: Created for apps like Microsoft Graph or Office 365, often pre-integrated.
Managed Identities: The Preferred Approach
Managed identities are the recommended way to authenticate Azure services to Azure resources. There are two types: - System-assigned managed identity: Enabled directly on an Azure resource. It has the same lifecycle as the resource—when the resource is deleted, the identity is also deleted. It is unique to that resource. - User-assigned managed identity: Created as a standalone Azure resource. It can be assigned to multiple Azure resources. It has its own lifecycle independent of any resource.
Managed identities automatically handle credential rotation—there are no secrets to manage. They use certificate-based authentication internally, with certificates rotated every 46 days (by default, but can be configured).
Service Principal Credentials
Service principals can authenticate using: - Client secret: A string value (like a password) generated by Entra ID. It has an expiration date (max 2 years, can be set to never expire but not recommended). - Certificate: An X.509 certificate uploaded to the app registration. More secure than client secrets. The certificate's thumbprint is used during authentication. - Federated identity credential: Used for workload identity federation, allowing external identity providers (like GitHub Actions, Kubernetes) to exchange tokens for Entra ID tokens without managing secrets.
Permissions and Roles
Service principals are assigned permissions through: - Azure RBAC roles: Grant access to Azure resources (e.g., Contributor, Reader on a subscription or resource group). - App roles: Defined in the application manifest. Applications can define roles and assign them to users or service principals. - Delegated permissions: Used when an application acts on behalf of a user (requires user consent). - Application permissions: Used when the application acts as itself (no user context). Requires admin consent.
Default Values and Timers
Client secret max lifetime: 2 years (24 months).
Certificate max lifetime: Not enforced by Entra ID, but best practice is 1-2 years.
Managed identity certificate rotation: Every 46 days (system-assigned) or configurable for user-assigned.
Token lifetime: Access tokens default to 60-90 minutes (configurable). Refresh tokens up to 14 days for single-page apps, 90 days for native apps.
Configuration and Verification
To create a service principal via Azure CLI:
az ad sp create-for-rbac --name MyApp --role Contributor --scopes /subscriptions/{subscription-id}To list service principals:
az ad sp list --all --query "[].{displayName:displayName, appId:appId}" -o tableTo get details of a managed identity:
az resource show --ids /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{name}Interaction with Related Technologies
Microsoft Graph: Service principals can be granted application permissions to call Microsoft Graph (e.g., read all user profiles).
Azure Key Vault: Managed identities can be used to access secrets in Key Vault without storing credentials in code.
Azure AD Conditional Access: Can apply to workload identities (preview) for additional security controls.
Workload identity federation: Allows external workloads (e.g., GitHub Actions, Kubernetes) to authenticate to Azure without managing secrets.
Register an Application
Navigate to Microsoft Entra ID > App registrations > New registration. Enter a name (e.g., 'MyWebApp'), select supported account types (e.g., 'Accounts in this organizational directory only'), and optionally set a redirect URI. This creates an application object in the tenant. The application object has a globally unique Application (client) ID, which identifies the app across tenants. No credentials are generated at this stage.
Create a Service Principal
After registration, a service principal is automatically created in the home tenant. You can also create service principals in other tenants (e.g., for multitenant apps). The service principal inherits properties from the application object but has its own object ID and can be assigned roles. For automation, use 'az ad sp create-for-rbac' which creates both the app and service principal.
Assign Credentials
For the service principal to authenticate, you must add credentials. Go to Certificates & secrets. Add a client secret (choose expiration: 1 year, 2 years, or never). Copy the secret value immediately—it is only shown once. Alternatively, upload a certificate. The service principal uses these credentials to request tokens. For managed identities, credentials are managed automatically.
Assign Permissions via RBAC
Go to the Azure resource (e.g., storage account) > Access control (IAM) > Add role assignment. Select a role (e.g., 'Storage Blob Data Contributor'), choose 'Managed identity' or 'User, group, or service principal', and select the service principal. This grants the service principal permissions to that resource. For Microsoft Graph permissions, configure API permissions in the app registration.
Authenticate and Acquire Token
In your application code, use the Microsoft Authentication Library (MSAL) to request a token. For a client secret, pass the tenant ID, client ID, and client secret. For managed identity, use the Azure Identity SDK which automatically detects the managed identity endpoint. The token endpoint returns a JSON response with an access_token, token_type, expires_in (seconds), and ext_expires_in.
Scenario 1: CI/CD Pipeline Deployment
A DevOps team uses Azure DevOps to deploy infrastructure to Azure. Instead of using a user account (which would break if the user leaves), they create a service principal with Contributor role on the subscription. The pipeline uses the service principal's client secret stored in Azure Key Vault to authenticate. When the secret expires, the pipeline fails—this is a common issue. Best practice is to use a user-assigned managed identity for the Azure DevOps agent, eliminating secret management entirely. In production, the team rotates secrets every 90 days using automation.
Scenario 2: Microservices Communication
A company runs a microservices application on Azure Kubernetes Service (AKS). Each microservice needs to access Azure resources like Cosmos DB and Key Vault. They enable system-assigned managed identities on the AKS cluster and use pod identities to assign identities to specific pods. This way, each pod authenticates to Azure without any secrets in the code. A common misconfiguration is assigning too broad permissions (e.g., Contributor on the whole subscription) instead of scoping to specific resources. The team learned this the hard way when a compromised pod had access to all resources.
Scenario 3: Third-Party SaaS Integration
An organization uses a third-party SaaS application that needs to read user profiles from Microsoft Graph. The SaaS vendor provides an app registration that requires admin consent for application permissions. The IT admin grants consent, creating a service principal for the SaaS app in their tenant. Later, they realize the app has 'User.Read.All' permission—too broad. They revoke consent and request a more limited permission. This highlights the importance of reviewing delegated vs. application permissions: application permissions allow the app to access data without a signed-in user, which is powerful and risky.
What SC-900 Tests
Objective 2.5 focuses on describing the capabilities of Entra ID for workload identities. The exam tests your ability to:
Differentiate between user identities and workload identities.
Understand service principals and their relationship to app registrations.
Identify managed identities and their types (system-assigned vs. user-assigned).
Recognize the use cases for workload identities (e.g., CI/CD, microservices).
Common Wrong Answers
"Service principal and application object are the same." This is false. The application object is the global definition; the service principal is the local instance. Candidates often confuse them because the same app ID is used for both.
"Managed identities require storing a secret." Wrong. Managed identities automatically handle credentials; no secret management is needed. This is a key differentiator.
"Workload identities can be used for interactive sign-in." No. Workload identities are for non-interactive scenarios. They cannot sign in to portals like Azure Portal.
"Service principals can only be created via Azure Portal." They can be created via CLI, PowerShell, or programmatically. The exam may test this.
Specific Numbers and Terms
Client secret max lifetime: 2 years (24 months). The exam might ask about default expiration.
Managed identity certificate rotation: Every 46 days for system-assigned.
Two types of managed identities: System-assigned and user-assigned.
Application ID vs. Object ID: Application ID (client ID) is immutable; Object ID is tenant-specific.
Edge Cases
Multitenant apps: A single app registration can have service principals in multiple tenants.
Service principal without app registration: Legacy service principals (e.g., for Microsoft Graph) exist without a corresponding app registration in your tenant.
Workload identity federation: Allows using tokens from external IdPs (e.g., GitHub) to authenticate to Azure without secrets.
How to Eliminate Wrong Answers
Focus on the mechanism: if a question describes an automated process without user interaction, the answer involves a service principal or managed identity. If credentials are mentioned, it's a service principal; if no credentials, it's a managed identity. For questions about app registration vs. service principal, remember: app registration defines the app; service principal is the identity in a tenant.
Workload identities are non-human identities for apps, services, and automation tools.
A service principal is the identity used by an application in a specific tenant.
Managed identities eliminate the need to manage credentials; they are the recommended approach for Azure resources.
Two types of managed identities: system-assigned (tied to resource) and user-assigned (standalone, shareable).
Client secrets have a maximum lifetime of 2 years; certificates are more secure.
Service principals can be assigned Azure RBAC roles, app roles, and API permissions.
Workload identities cannot be used for interactive sign-in; they authenticate programmatically.
The exam tests the difference between application objects and service principal objects.
Workload identity federation allows external IdPs to authenticate to Azure without secrets.
Managed identities rotate certificates every 46 days by default.
These come up on the exam all the time. Here's how to tell them apart.
System-Assigned Managed Identity
Tied to a single Azure resource (e.g., one VM, one App Service).
Lifecycle matches the resource: deleted when resource is deleted.
Cannot be shared across resources.
Automatically created when enabled on the resource.
Simpler for single-resource scenarios.
User-Assigned Managed Identity
Standalone Azure resource with its own lifecycle.
Can be assigned to multiple Azure resources (e.g., multiple VMs).
Independent of any resource; persists if resources are deleted.
Must be created explicitly before assignment.
Useful for scenarios where multiple resources need the same identity.
Mistake
A service principal is the same as an application registration.
Correct
An application registration is the global app definition; a service principal is the local instance in a tenant. They are separate objects with different IDs. The app registration has an Application (client) ID; the service principal has an Object ID.
Mistake
Managed identities require you to manage secrets.
Correct
Managed identities automatically handle credential generation and rotation. No secrets are exposed to the user. This is their main advantage over service principals with client secrets.
Mistake
Workload identities can be used to sign in to the Azure Portal.
Correct
Workload identities are non-interactive. They cannot be used for browser-based sign-in. Only user identities can do that.
Mistake
Service principals can only be assigned Azure RBAC roles.
Correct
Service principals can also be assigned app roles (defined in the application manifest) and can be granted API permissions (delegated or application) for Microsoft Graph or other APIs.
Mistake
A system-assigned managed identity can be shared across multiple resources.
Correct
A system-assigned managed identity is tied to a single Azure resource and has the same lifecycle. For sharing, use a user-assigned managed identity.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A service principal is a general identity for an application, which requires you to manage credentials (client secret or certificate). A managed identity is a special type of service principal automatically managed by Azure, with no credential management needed. Managed identities are the recommended approach for Azure resources like VMs and App Services.
No, service principals are non-interactive identities. They cannot sign in via a browser. They authenticate programmatically using secrets or certificates to obtain access tokens. Only user identities can sign in to the Azure Portal.
You can set a client secret to expire in 1 year, 2 years, or never. The maximum allowed duration is 2 years (24 months). Best practice is to rotate secrets regularly, not set them to never expire.
A system-assigned managed identity is tied to a single Azure resource and has the same lifecycle. A user-assigned managed identity is a standalone resource that can be assigned to multiple Azure resources and has its own lifecycle. Use system-assigned for simple scenarios; use user-assigned when multiple resources need the same identity.
Workload identity federation allows you to use tokens from an external identity provider (e.g., GitHub Actions, Kubernetes) to authenticate to Azure without managing secrets. You create a federated identity credential on a service principal, and the external workload exchanges its token for an Azure AD token.
No, service principals do not support MFA because they are non-interactive. However, you can apply Conditional Access policies to service principals (preview) to enforce additional controls like location or risk-based policies.
Use the command: 'az ad sp create-for-rbac --name <name> --role <role> --scopes <scope>'. For example: 'az ad sp create-for-rbac --name MyApp --role Contributor --scopes /subscriptions/12345678-1234-1234-1234-123456789abc'. This creates an app registration and a service principal with the specified RBAC role.
You've just covered Entra Workload Identities and Service Principals — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?