AZ-500 Microsoft Azure Security Technologies Exam

Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!

Practice Test

Expert
Exam

Manage and use service principals

Manage Microsoft Entra application access

Credential Management and RBAC Assignment

Service principals in Microsoft Entra ID act as non-interactive identities that applications use to authenticate with Azure resources. These identities need secure credentials to prove who they are and to gain access. Choosing the right credential mechanism helps balance security with ease of automation. Common options include client secrets, certificates, and federated identities. Each type carries its own benefits and risks, so understanding their differences is key.

Applications can use three main credential types for service principals:

  • Client secrets: short-lived strings stored as secure settings.
  • Certificates: digital certificates issued by a trusted authority or self-signed for testing.
  • Federated identities: tokens exchanged from external identity providers without storing secrets in Azure.
    Using certificates often reduces the risk of secret leakage compared to client secrets, while federated identities eliminate local credentials entirely.

To keep credentials safe, you should enforce automated rotation on a regular schedule. Integrate with services like Azure Key Vault or Azure Automation to automatically update secrets and certificates. Automated rotation shrinks the window of time in which a compromised credential can be used. Without automation, manual rotation can become error-prone and may leave stale credentials active longer than necessary.

When granting permissions, follow the principle of least privilege by assigning Azure RBAC roles at the narrowest scope:

  • Resource level (for example, a single storage account)
  • Resource group level
  • Subscription level
    Use built-in roles for common scenarios or define custom roles to tailor access. Regularly review and prune role assignments to remove unneeded permissions and reduce attack surfaces.

Where possible, switch to managed identities to eliminate manual credential handling altogether. A system-assigned managed identity is tied to one resource’s lifecycle, while a user-assigned managed identity can be shared across multiple resources. Azure mentors the credential lifecycle for these identities, handling creation and rotation automatically. Adopting managed identities aligns with best practices for secure, scalable application access.

Conclusion

In managing service principals, it’s essential to pick the right credential type, whether it’s a client secret, certificate, or federated identity. Automating credential rotation with Azure Key Vault or Automation services keeps keys fresh and minimizes risk. Assigning RBAC roles by least privilege and the smallest possible scope prevents over-permissioned access. Finally, leveraging managed identities removes manual secrets and simplifies lifecycle management. Together, these practices form a robust framework for securing application authentication in Azure.

Manage app registration permission consentManage managed identities