Skip to main content This browser is no longer supported. Show Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Conditional Access for workload identities
In this articleConditional Access policies have historically applied only to users when they access apps and services like SharePoint online or the Azure portal. We are now extending support for Conditional Access policies to be applied to service principals owned by the organization. We call this capability Conditional Access for workload identities. A workload identity is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they:
These differences make workload identities harder to manage and put them at higher risk for compromise. Important Conditional Access policies can be scoped to to service principals in Azure AD with Workload Identities Premium licenses. Note Policy can be applied to single tenant service principals that have been registered in your tenant. Third party SaaS and multi-tenanted apps are out of scope. Managed identities are not covered by policy. Conditional Access for workload identities enables blocking service principals from outside of trusted public IP ranges, or based on risk detected by Azure AD Identity Protection. ImplementationCreate a location-based Conditional Access policyCreate a location based Conditional Access policy that applies to service principals.
Create a risk-based Conditional Access policyCreate a risk-based Conditional Access policy that applies to service principals.
Roll backIf you wish to roll back this feature, you can delete or disable any created policies. Sign-in logsThe sign-in logs are used to review how policy is enforced for service principals or the expected affects of policy when using report-only mode.
Failure reason when Service Principal is blocked by Conditional Access: “Access has been blocked due to conditional access policies.” Report-only modeTo view results of a location-based policy, refer to the Report-only tab of events in the Sign-in report, or use the Conditional Access Insights and Reporting workbook. To view results of a risk-based policy, refer to the Report-only tab of events in the Sign-in report. ReferenceFinding the objectIDYou can get the objectID of the service principal from Azure AD Enterprise Applications. The Object ID in Azure AD App registrations can’t be used. This identifier is the Object ID of the app registration, not of the service principal.
Microsoft GraphSample JSON for location-based configuration using the Microsoft Graph beta endpoint.
Next steps
FeedbackAdditional resourcesAdditional resourcesIn this article |