Workload Identities & App ManagementManaged Identities & Service Principals

Managed Identities & Service Principals

30 mins

Understanding the Concept

Workload identities are non-human identities that applications and services use to authenticate and access resources. In Microsoft Entra ID, these include managed identities, service principals, and app registrations.

Managed identities are Entra ID identities automatically managed by Azure. System-assigned managed identities are tied to a specific Azure resource and are deleted when the resource is deleted. User-assigned managed identities are standalone and can be shared across multiple resources.

Service principals are the local representation of an application in a specific tenant. When an app is registered, a service principal is created. Service principals define what the app can access and are used for authentication via client secrets or certificates.

Key Points

  • Managed identities: No credentials to manage, Azure handles rotation
  • System-assigned: Tied to one resource, deleted with resource
  • User-assigned: Standalone, shareable across multiple resources
  • Service principals: App identity in a tenant with configured permissions
  • Workload identity federation: Federate external identities without secrets

Workload Identity Types

Step 1

Managed Identity

Azure-managed, no secrets, auto-rotated credentials

Step 2

Service Principal

App identity with client secret or certificate auth

Step 3

App Registration

Developer-facing config for API permissions and auth

Step 4

Workload Federation

External systems auth without stored secrets

Why This Matters in Real Organizations

Mismanaged workload identities are a growing attack vector. Service principals with expired secrets cause outages, while over-privileged app permissions create security risks. Managed identities eliminate credential management entirely, making them the preferred choice for Azure workloads.

Common Mistakes to Avoid

Using service principals with secrets when managed identities are available
Not monitoring service principal credential expiration
Granting Application permissions when Delegated permissions suffice
Not understanding the difference between app registration and service principal

Interview Tips

  • Explain when to use managed identities vs service principals
  • Discuss system-assigned vs user-assigned managed identity tradeoffs
  • Mention workload identity federation for CI/CD pipelines

Exam Tips (SC-300)

  • Know the types of managed identities and their lifecycle
  • Understand service principal authentication options
  • Know when to use managed identity vs service principal

Course Complete!

You've finished all lessons

Previous|Next|HHome