The Ultimate Guide to Non-Human Identities Report
NHI Forum

Forums
Non-Human Identity ...
Workload Identity M...
Choosing the Most S...
 
Notifications
Clear all

Choosing the Most Secure Entra ID App Authentication Method in Microsoft 365, Azure, and Entra

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Eminent Member
Joined: 4 months ago
Posts: 14
Topic starter 11/08/2025 4:17 pm  

Original Article from Merill Fernando (PM @ Microsoft) - https://www.linkedin.com/feed/update/urn:li:activity:7350474706619162624/

When securing applications in Microsoft 365, Azure, and Entra environments, the authentication method you choose directly impacts your exposure to credential theft and misuse. This decision tree outlines the most secure approaches, ranked from strongest to weakest:

  1. Managed Identities – Best Practice

    • Eliminates the need for app secrets entirely, preventing credential leaks.

    • Credentials are automatically provisioned and deleted with Azure resources.

    • Even Global Administrators cannot access the underlying credential.

    • Similar capabilities exist in AWS and GCP.

  2. Workload Identity Federation – Strong Alternative

    • Allows Microsoft Entra ID to trust tokens from external identity providers such as AWS, GitHub, or Google Cloud.

    • Example: An AWS app with an Amazon Cognito identity can present its Cognito token to access Azure-protected resources.

    • Avoids storing long-lived secrets while enabling cross-platform integration.

  3. Certificates – Acceptable Where Above Options Are Not Possible

    • Use short-lived certificates with secure private key protection.

    • Implement rotation processes and prepare for certificate rollover without downtime (e.g., by supporting multiple active keys).

    • Still requires operational vigilance to prevent leaks and outages.

  4. Client ID & Secret – Least Secure, Avoid When Possible

    • Common due to simplicity, but highly prone to accidental exposure (e.g., checked into code, stored in plain text).

    • If used, secrets must be encrypted, rotated frequently, and monitored for compromise.

    • Encourage migration to stronger authentication methods.


Wherever possible, replace static secrets with Managed Identities or Workload Identity Federation. When neither is available, certificates offer a more secure fallback. Avoid client secrets entirely to reduce the risk of credential leaks.

To learn more about avoiding common app-related security pitfalls here: https://devblogs.microsoft.com/identity/public-v-confidential-clients/?source=nhimg

To learn about workload identity federation here:  https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation/?source=nhimg

To learn about using Entra conditional access policies for workload identities here:  https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-faqs/?source=nhimg

 

diagram
This topic was modified 6 days ago 5 times by Mr NHI

   
Quote
Topic Tags
Microsoft Azure Microsoft 365 Microsoft Entra ID NHI Security
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  Microsoft (1) , Azure (1) , Microsoft 365 (1) , Microsoft Entra ID (1) , NHI Security (100) ,
Share:

#1 Authority in NHI Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs).

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.