SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Workload Identity Risk Audit
description: Audit service principals and managed identities for risk, credentials and anomalous sign-ins using Microsoft Entra ID Protection.
---
# Workload Identity Risk Audit
> **TL;DR:** This skill reviews every service principal and managed identity in your tenant, surfaces Entra ID Protection risk signals, ageing credentials and anomalous sign-ins, and produces a prioritised report so risky non-human accounts get attention before they are abused.
## What is a workload identity in Microsoft Entra?
A workload identity is a non-human account, a service principal or managed identity, that an application, script or automation uses to authenticate and access resources. Unlike user accounts, workload identities rarely use multi-factor authentication and often hold long-lived secrets or certificates, which makes them an attractive target. Microsoft Entra ID Protection extends risk detection to these identities, flagging leaked credentials, suspicious sign-ins and anomalous behaviour that this skill collects and analyses read-only.
## When should you run this skill?
- "Show me which service principals have risky sign-ins flagged by Entra ID Protection."
- "Find workload identities with credentials that are expired or about to expire."
- "Which managed identities have unusual sign-in patterns this month?"
- "Audit our app registrations for leaked or compromised secrets."
- "I need a workload identity risk report before the quarterly security review."
- "List the highest-risk non-human accounts so we can prioritise remediation."
- "Are any service principals signing in from anomalous locations or with stale credentials?"
## How this skill works, step by step
1. Enumerate all service principals and managed identities in the Microsoft Entra tenant using read-only directory queries.
2. Retrieve workload identity risk state and risk detections from Microsoft Entra ID Protection for each identity.
3. Collect credential metadata, including secret and certificate expiry dates, and flag credentials that are expired, expiring soon or unusually long-lived.
4. Gather recent sign-in activity and correlate it with anomalous sign-in and suspicious behaviour detections.
5. Identify dormant workload identities that hold credentials but show no recent sign-in activity.
6. Derive a composite risk score for each identity by weighting the Entra risk level, credential hygiene and sign-in anomalies.
7. Prioritise the results, placing high-risk and credential-exposed identities at the top of the report.
8. Compile the findings into a structured, human-readable output with remediation guidance.
## Output format
The skill returns a prioritised table of workload identities followed by a summary.
| Identity | Type | Entra risk level | Credential status | Anomalous sign-ins | Risk score |
| --- | --- | --- | --- | --- | --- |
| Contoso-Backup-App | Service principal | High | Secret expired 14 days ago | 2 (impossible travel) | 92 |
| invoicing-managed-id | Managed identity | Medium | Certificate expiring in 9 days | 0 | 58 |
Summary:
- **High-risk identities** requiring immediate attention and credential rotation.
- **Credential hygiene issues**, including expired, expiring or long-lived secrets and certificates.
- **Anomalous sign-in detections** correlated from Microsoft Entra ID Protection.
- **Dormant workload identities** that hold active credentials but show no recent activity.
## Scope and safety
This skill is read-only by default and makes no changes to your tenant, identities or credentials. It only inspects and reports.
This skill does NOT:
- Rotate, revoke, create or delete any secrets, certificates or credentials.
- Disable, block or modify any service principal or managed identity.
- Change Conditional Access, risk policies or any Microsoft Entra ID Protection configuration.
- Remediate findings automatically; all remediation remains a deliberate human action.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Workload identity risk detections and risk state from Microsoft Entra ID Protection | Microsoft Entra Workload ID Premium |
| Enumerating service principals, managed identities and reading credential metadata | Microsoft Entra ID Free (read-only directory access) |
| Reading sign-in activity for workload identities | Microsoft Entra ID P1 |
### Least-privilege roles
- Security Reader (read-only access to Microsoft Entra ID Protection risk data)
- Global Reader (read-only access to directory objects, service principals and credentials)
### Microsoft Graph permissions (read-only)
- `Application.Read.All` - reads service principals, app registrations and their secret and certificate credential metadata
- `IdentityRiskyServicePrincipal.Read.All` - reads workload identity risk state and risk detections from Microsoft Entra ID Protection
- `AuditLog.Read.All` - reads sign-in activity for service principals and managed identities
- `Directory.Read.All` - reads managed identities and supporting directory objects
## Sources and compliance
- [Securing workload identities with Microsoft Entra ID Protection](https://learn.microsoft.com/en-us/entra/id-protection/concept-workload-identity-risk)
- [What are workload identities?](https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview)
- Supports Essential Eight "Restrict administrative privileges" by surfacing over-privileged and risky non-human accounts, and aligns with ISM controls for privileged access and event monitoring.
- Reinforces credential hygiene expectations under the [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model).
- Output in Australian English.
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Workload Identity Risk Audit
TL;DR: This skill reviews every service principal and managed identity in your tenant, surfaces Entra ID Protection risk signals, ageing credentials and anomalous sign-ins, and produces a prioritised report so risky non-human accounts get attention before they are abused.
What is a workload identity in Microsoft Entra?
A workload identity is a non-human account, a service principal or managed identity, that an application, script or automation uses to authenticate and access resources. Unlike user accounts, workload identities rarely use multi-factor authentication and often hold long-lived secrets or certificates, which makes them an attractive target. Microsoft Entra ID Protection extends risk detection to these identities, flagging leaked credentials, suspicious sign-ins and anomalous behaviour that this skill collects and analyses read-only.
When should you run this skill?
- “Show me which service principals have risky sign-ins flagged by Entra ID Protection.”
- “Find workload identities with credentials that are expired or about to expire.”
- “Which managed identities have unusual sign-in patterns this month?”
- “Audit our app registrations for leaked or compromised secrets.”
- “I need a workload identity risk report before the quarterly security review.”
- “List the highest-risk non-human accounts so we can prioritise remediation.”
- “Are any service principals signing in from anomalous locations or with stale credentials?”
How this skill works, step by step
- Enumerate all service principals and managed identities in the Microsoft Entra tenant using read-only directory queries.
- Retrieve workload identity risk state and risk detections from Microsoft Entra ID Protection for each identity.
- Collect credential metadata, including secret and certificate expiry dates, and flag credentials that are expired, expiring soon or unusually long-lived.
- Gather recent sign-in activity and correlate it with anomalous sign-in and suspicious behaviour detections.
- Identify dormant workload identities that hold credentials but show no recent sign-in activity.
- Derive a composite risk score for each identity by weighting the Entra risk level, credential hygiene and sign-in anomalies.
- Prioritise the results, placing high-risk and credential-exposed identities at the top of the report.
- Compile the findings into a structured, human-readable output with remediation guidance.
Output format
The skill returns a prioritised table of workload identities followed by a summary.
| Identity | Type | Entra risk level | Credential status | Anomalous sign-ins | Risk score |
|---|---|---|---|---|---|
| Contoso-Backup-App | Service principal | High | Secret expired 14 days ago | 2 (impossible travel) | 92 |
| invoicing-managed-id | Managed identity | Medium | Certificate expiring in 9 days | 0 | 58 |
Summary:
- High-risk identities requiring immediate attention and credential rotation.
- Credential hygiene issues, including expired, expiring or long-lived secrets and certificates.
- Anomalous sign-in detections correlated from Microsoft Entra ID Protection.
- Dormant workload identities that hold active credentials but show no recent activity.
Scope and safety
This skill is read-only by default and makes no changes to your tenant, identities or credentials. It only inspects and reports.
This skill does NOT:
- Rotate, revoke, create or delete any secrets, certificates or credentials.
- Disable, block or modify any service principal or managed identity.
- Change Conditional Access, risk policies or any Microsoft Entra ID Protection configuration.
- Remediate findings automatically; all remediation remains a deliberate human action.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Workload identity risk detections and risk state from Microsoft Entra ID Protection | Microsoft Entra Workload ID Premium |
| Enumerating service principals, managed identities and reading credential metadata | Microsoft Entra ID Free (read-only directory access) |
| Reading sign-in activity for workload identities | Microsoft Entra ID P1 |
Least-privilege roles
- Security Reader (read-only access to Microsoft Entra ID Protection risk data)
- Global Reader (read-only access to directory objects, service principals and credentials)
Microsoft Graph permissions (read-only)
Application.Read.All- reads service principals, app registrations and their secret and certificate credential metadataIdentityRiskyServicePrincipal.Read.All- reads workload identity risk state and risk detections from Microsoft Entra ID ProtectionAuditLog.Read.All- reads sign-in activity for service principals and managed identitiesDirectory.Read.All- reads managed identities and supporting directory objects
Sources and compliance
- Securing workload identities with Microsoft Entra ID Protection
- What are workload identities?
- Supports Essential Eight “Restrict administrative privileges” by surfacing over-privileged and risky non-human accounts, and aligns with ISM controls for privileged access and event monitoring.
- Reinforces credential hygiene expectations under the ASD Essential Eight Maturity Model .
- Output in Australian English.
Last updated on