Setting Workload Identity Category
Categories help administrators classify service principals in Entra ID based on compliance, security tiers, or functional roles. This classification improves filtering, reporting, and risk management.
Best Practices
-
Assign categories consistently across similar identities.
-
Use Tier levels to indicate privilege and risk.
-
Regularly review categories for accuracy.
To access category setting:
-
Navigate to Security | Workload Identities.
-
Select one or more service principals from the list.
-
Click Set Category in the toolbar.
-
From the Set Category window, assign up to five labels from a predefined list.
-
Click Save to apply the changes.
Available Categories
| Category |
Description |
| Agentic AI |
AI-related workloads or agents. |
| FISMA |
Federal Information Security Management Act compliance. |
| GDPR |
General Data Protection Regulation compliance. |
| GLBA |
Gramm-Leach-Bliley Act compliance. |
| HIPAA |
Health Insurance Portability and Accountability Act compliance. |
| PCI |
Payment Card Industry standards. |
| SAS |
Statistical Analysis System or similar workloads. |
| Security Scanning |
Identities used for vulnerability or compliance scanning. |
| SOX |
Sarbanes-Oxley Act compliance. |
| Tier 0–Tier 4 |
Security tiers indicating privilege level and criticality. |
Setting Privileged Status for Workload Identities
The Set Privileged action allows administrators to classify selected service principals as Privileged, marking them as critical assets that require enhanced security measures.
Best Practices
To access set a service principal as a critical asset:
-
Navigate to Security | Workload Identities.
-
Select one or more service principals from the list.
-
Click Set Privileged in the toolbar.
-
Confirm by selecting Set Privileged Object.
|
|
NOTE:Certification Status column will not reflect changes immediately. Updates occur after:
|
Certifying Privileged Status
The Certify Privileged action confirms that selected privileged service principals have been reviewed and validated as qualified for privileged status. This step is part of maintaining compliance and security assurance.
Best Practices
|
|
NOTE:Certification Status column will not reflect changes immediately. Updates occur after:
|
To certify a service principal as a critical asset:
-
Navigate to Security | Workload Identities.
-
Select one or more service principals from the list that is marked as Not Certified.
-
Click More in the toolbar and choose Certify Privileged.
-
Confirm that the selected objects should be qualified as privileged, by selecting Certify Privileged Objects.
To uncertify a service principal as a critical asset:
-
Navigate to Security | Workload Identities.
-
Select one service principal from the list that is marked as Certified.
-
Click More in the toolbar and choose Uncertify Privileged.
-
Confirm that the selected objects should not be qualified as privileged, by selecting Uncertify Privileged Objects.
Reloading Workload Identities
The Reload Identity feature allows administrators to refresh the details of selected service principals from Entra ID without waiting for a full data collection cycle. This ensures that recent changes in Entra ID are immediately reflected in Security Guardian.
Best Practices
-
Use Reload Identity after making changes in Entra ID to ensure data accuracy.
-
Avoid frequent reloads for large selections to minimize API load.
-
Monitor Last Reloaded timestamps for auditing and troubleshooting.
To reload workload identity properties:
-
Navigate to Security | Workload Identities.
-
Select up to 10 service principals from the list.
-
Click Reload Identity in the toolbar.
-
Click Reload Now to collect and view latest property values for the selected workload identities.
