gdasher
commented
1 year ago I think not, this could get extremely expensive with workloads with lots of WIs. This is also somewhat more Azure than M365 (even though it uses Azure AD).
I would consider adding it to security considerations on the policy about blocking High Risk as a non-normative note.
tkol2022
💡 Summary
Based on Azure AD comment 20 in the spreadsheet, a key CISA POC proposed that we examine creating a new baseline policy related to conditional access for service principals (aka applications).
Here is a link that provides a couple of specific conditional access policy ideas. *Microsoft refers to service principals as "workload identities" on that page. 1) creating a "trusted location" based policy that limits access to trusted IP address ranges and 2) creating a risk-based policy that will block a service principal that is detected to have a specific level of risk.
Question for CISA
We agree that it would be valuable to create a new policy to help secure service principals, especially because the existing conditional access policies in the baseline do not get enforced for service principals. However, to add the Workload Identities feature to conditional access requires an additional license above and beyond E5 / G5. That license is named Workload Identities Premium.
Considering that many agencies and private sector organizations may not have this additional license, should this be included in the Azure AD baseline?