Microsoft Entra Workload ID
Definition
Microsoft Entra Workload ID is a feature within the Microsoft Entra suite designed to manage and secure identities for applications, services, and workloads. It provides a way to authenticate and authorize non-human identities, ensuring that applications and services can securely access resources and communicate with each other. This feature helps maintain security and compliance by enforcing policies and monitoring access patterns for workloads.
Secure Settings Example
{
"workloadIdentity": {
"enabled": true,
"authentication": {
"type": "OAuth2",
"tokenLifetime": "1h",
"audience": "https://example.com",
"issuer": "https://login.microsoftonline.com/{tenantId}/v2.0"
},
"authorization": {
"roles": ["Reader", "Contributor"],
"scopes": ["https://example.com/.default"]
}
}
}
Insecure Settings Example
{
"workloadIdentity": {
"enabled": true,
"authentication": {
"type": "OAuth2",
"tokenLifetime": "24h", // Excessively long token lifetime
"audience": "*", // Wildcard audience, not secure
"issuer": "https://untrusted-issuer.com" // Untrusted issuer
},
"authorization": {
"roles": ["Owner"], // Overly permissive role
"scopes": ["*"] // Wildcard scope, not secure
}
}
}