Plan and implement identities for applications and Azure workloads, integrate enterprise applications, manage app registrations, and monitor app access.
This domain focuses on managing identities for applications and Azure workloads. Candidates must select appropriate identities — managed identities, service principals, user accounts, and managed service accounts — and create, assign, and use managed identities to access Azure resources. The domain covers planning, implementing, and monitoring enterprise application integration including application-level and tenant-level settings, assigning Microsoft Entra roles for app management, designing integration for on-premises apps via Microsoft Entra Application Proxy, integrating SaaS apps, assigning users, groups, and app roles, configuring user and admin consent, and managing application collections. Candidates must also plan and implement app registrations including authentication configuration, API permissions, and app roles. Finally, it covers managing and monitoring app access using Microsoft Defender for Cloud Apps — cloud discovery, connected apps, application-enforced restrictions, Conditional Access app control, access and session policies, OAuth app policies, and the Cloud app catalog. (20–25% of exam)
5 minutes
5 Questions
Plan and Implement Workload Identities refers to the process of managing non-human identities in Microsoft Entra ID (formerly Azure AD) that are used by applications, services, and automated processes to access resources.
**What Are Workload Identities?**
Workload identities represent software workloads such as applications, service principals, and managed identities. Unlike user identities, these are used by applications and services to authenticate and access Azure resources programmatically.
**Key Components:**
1. **Application Registrations:** Creating app objects in Microsoft Entra ID that define the application's identity configuration, including permissions, credentials, and authentication settings.
2. **Service Principals:** The local representation of an application object in a specific tenant, defining what the app can do within that tenant, who can access it, and what resources it can reach.
3. **Managed Identities:** Azure-managed identities that eliminate the need to store credentials in code. They come in two types - System-assigned (tied to a resource lifecycle) and User-assigned (standalone, reusable across multiple resources).
**Planning Considerations:**
- Determine which workloads need identities and appropriate identity types
- Apply least-privilege access principles using role-based access control (RBAC)
- Implement credential management policies including certificate rotation and secret expiration
- Use Conditional Access policies for workload identities to enforce location and risk-based controls
- Monitor and audit workload identity activities through sign-in logs
**Implementation Best Practices:**
- Prefer managed identities over service principals to avoid credential management overhead
- Implement workload identity federation for external systems to avoid storing secrets
- Use Workload Identity Premium features for Conditional Access and identity protection
- Regularly review and remove unused application registrations and service principals
- Configure app governance policies to detect anomalous behavior
**Security Measures:**
- Enable workload identity risk detection through Identity Protection
- Implement access reviews for service principals
- Use certificates instead of client secrets when managed identities aren't possible
Proper planning ensures secure, scalable, and manageable workload identities across your organization.Plan and Implement Workload Identities refers to the process of managing non-human identities in Microsoft Entra ID (formerly Azure AD) that are used by applications, services, and automated processes to access resources.
**What Are Workload Identities?**
Workload identities represent software wor…
