Notifications
Clear all
Topic starter
04/06/2026 6:43 pm
TL;DR: Azure service principals still rely on secrets or certificates, while managed identities remove secret handling for Azure-native workloads, according to Oasis Security. The governance question is not convenience but where identity lifecycle, privilege, and auditability become harder to control once you leave secretless authentication behind.
NHIMG editorial — based on content published by Oasis Security: Service Principal vs. Managed Identity in Azure
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams decide between service principals and managed identities in Azure?
A: Use managed identity by default for Azure-native workloads because it removes secret handling from the application layer.
Q: Why do service principals create more governance risk than managed identities?
A: Service principals depend on secrets or certificates, so the organisation must manage storage, rotation, expiry, and revocation.
Q: What breaks when organisations use one Azure identity pattern for every workload?
A: The programme loses fit to context.
Practitioner guidance
- Inventory every Azure workload identity Classify each identity as service principal or managed identity, record the owning team, the workload it supports, and whether it exists inside or outside Azure.
- Prefer managed identity for Azure-native services Default to managed identity for VMs, App Services, and Functions when the application can remain inside Azure and the platform supports secretless authentication.
- Treat service principals as secret-bearing NHIs Store secrets in a vault, set expiration alerts, rotate credentials on a defined schedule, and remove access when the workload is retired or moved.
What's in the full article
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- A practical decision flow for choosing service principals versus managed identities across Azure and external workloads
- Examples of where managed identity works for App Service, Functions, and VMs, and where service principals remain necessary
- Guidance on secret storage, rotation alerts, and lifecycle controls for service principals
- Visibility and inventory examples showing how to map ownership and permissions for each identity type
👉 Read Oasis Security's analysis of service principals versus managed identities in Azure →
Service principal vs managed identity in Azure: what should teams choose?
Explore further
04/06/2026 6:53 pm
Managed identity reduces secret risk, but it does not eliminate identity governance. Secretless authentication removes one of the most common failure points in NHI programmes, but the entitlement, ownership, and offboarding problems remain. The governance shift is from secret protection to scope control and lifecycle clarity. Practitioners should stop treating managed identity as a substitute for identity governance.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why identity inventory is a governance control rather than an administrative task.
A question worth separating out:
Q: How should teams govern Azure service principals and managed identities over time?
A: Track them as lifecycle-managed NHIs, not as static configuration. That means ownership records, access reviews, entitlement checks, secret rotation for service principals, and explicit decommissioning when workloads move or retire. Without those controls, identities outlive their use case and become hidden risk.
👉 Read our full editorial: Service principal vs managed identity in Azure: IAM governance trade-offs
