Managed identities & SP escalation
Kill client secrets; watch credential injection.
The Azure equivalent of "delete the long-lived keys" is: use managed identities and federated credentials instead of service-principal client secrets. Where secrets or over-broad identity permissions remain, they become the escalation and leakage paths.
Managed identities over client secrets
A managed identity gives an Azure resource an Entra identity whose tokens Azure issues and rotates automatically — nothing to store or leak. System-assigned identities live and die with one resource; user-assigned identities are standalone objects you can share across resources and manage independently. Either way, you assign the identity RBAC roles at a scope, and the app fetches tokens from the local metadata endpoint with no secret in code or config. For workloads outside Azure, workload identity federation exchanges an external OIDC token for Azure access with no secret at all.
# Give a Function app a system-assigned identity and grant it ONE vault's secrets.az functionapp identity assign -g rg -n payments-fnPRINCIPAL=$(az functionapp identity show -g rg -n payments-fn --query principalId -o tsv)az role assignment create --assignee-object-id $PRINCIPAL \--role "Key Vault Secrets User" \--scope /subscriptions/SUB/resourceGroups/rg/providers/Microsoft.KeyVault/vaults/app-kv# The app calls the local token endpoint — no client secret anywhere in config.
The service-principal credential escalation
The classic Entra escalation is credential injection: a principal who can add a new client secret or certificate to an existing, privileged service principal or app registration can then authenticate as it and inherit its permissions. Application Administrator and similar roles carry this power. Restrict who can manage app credentials, prefer federated credentials over client secrets, set short secret lifetimes where secrets are unavoidable, and alert on new credentials being added to any privileged service principal.