The era of passwords is coming to an end. In December 2024, Microsoft stated they are blocking 7,000 attacks on passwords per second. A number almost double what they saw just one year prior. As a result, Microsoft is advocating enterprises to move away from traditional authentication methods, such as passwords and API keys. These pose significant security risks due to their susceptibility to leaks, theft, and mismanagement. Microsoft encourages enterprises to transition to modern Microsoft Entra ID (formerly Azure Active Directory) powered authentication methods. This move eliminates reliance on static credentials and instead leverages Managed Identities and Service Principals for secure and scalable authentication within Azure services to greatly increase the security of your applications and workloads.

Why Move Away from Passwords and API Keys?

Traditional authentication mechanisms, such as passwords and API keys, have long been the cornerstone of access control. However, as cyber threats become more sophisticated, these static credentials have proven to be one of the weakest links in security. Enterprises that continue to rely on passwords and API keys face increased risks of breaches, unauthorized access, and data leaks.

What makes passwords and keys easy for developers, also makes them easy for hackers! With their simplicity, passwords and keys bring with them some major security risks if not managed properly.

// Define the API endpoint and the API key to unlock it all
const apiEndpoint = 'https://api.example.com/data';
const apiKey = 'your_api_key_here';

const response = await fetch(apiEndpoint, {
  method: 'GET',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': `Bearer ${apiKey}`
  }
});

if (!response.ok) {
  throw new Error(`HTTP error! status: ${response.status}`);
}

const data = await response.json();
console.log(data);

Passwords and keys introduce several security risks and vulnerabilities:

• Exposure Risks: Hardcoded keys in source code or configuration files can be leaked via repositories, logs, or insider threats.
• Static and Long-Lived Credentials: API keys are often valid indefinitely unless manually rotated, increasing the attack surface.
• Lack of Granular Control: API keys typically offer broad access rather than fine-grained permissions, leading to over-privileged access.
• Secret Management Challenges: Enterprises struggle with securely storing and rotating secrets across multiple services.
• Privilege Escalation: An attacker can use leaked keys to gain higher levels of access within systems.
• Data Breaches: Attackers can gain unauthorized access to sensitive data using leaked keys.

On the end-user side of things, Microsoft is implementing Passkeys to greatly improve the security for services like Xbox, Microsoft 365, and Microsoft Copilot. In the cloud, with Microsoft Azure services and your enterprise workloads, Microsoft advocates for a shift toward more secure and automated authentication methods provided by Microsoft Entra ID.

“There’s no doubt about it: The password era is ending. Bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.” – Microsoft

Modern Authentication with Microsoft Entra

As enterprises transition away from traditional authentication mechanisms, Microsoft Entra provides a modern approach that enhances security while simplifying identity management. By leveraging Entra ID authentication, enterprises can eliminate the need for passwords and API keys, replacing them with more secure and automated solutions. Entra authentication enables seamless integration with Azure services, providing robust identity management capabilities that reduce security risks and operational overhead. Below, let’s take a look at the various authentication methods available through Entra and how they can be implemented effectively.

Using DefaultAzureCredential for Unified Authentication

The DefaultAzureCredential class from the Azure Identity library simplifies authentication by automatically selecting the most appropriate authentication method based on the environment. It supports Managed Identities, Service Principals, and local development credentials.

Use Cases:

• Local Development & Cloud Applications: Automatically switches between local authentication (e.g., Azure CLI, Visual Studio) and cloud authentication (e.g., Managed Identity, Service Principal).
• Azure Functions & App Services: Provides seamless authentication without manual credential management.
• CI/CD Pipelines: Integrates with GitHub Actions, Azure DevOps, and other automation platforms.

Implementation Steps:

1. Ensure the necessary permissions are assigned via Azure RBAC.
2. Use the DefaultAzureCredential class in your application.

Example authentication in C#:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

var credential = new DefaultAzureCredential();
var keyVaultClient = new SecretClient(new Uri("https://your-keyvault.vault.azure.net"), credential);

This approach allows applications to securely authenticate across multiple environments without requiring hardcoded secrets or manual configuration.

Managed Identities for Azure Resources

Managed Identities eliminate the need to store credentials by enabling Azure resources to securely authenticate without explicit secrets. Two types of Managed Identities are available:

• System-Assigned Managed Identity: Tied to a specific Azure resource and automatically managed by Azure.
• User-Assigned Managed Identity: Independently managed and reusable across multiple Azure resources.

Use Cases:

• Azure Virtual Machines (VMs): Securely access Azure Key Vault, Storage Accounts, and databases without embedding credentials.
• Azure App Service and Functions: Authenticate to databases, storage, and APIs without managing API keys.
• Containers in Azure Kubernetes Service (AKS): Allow workloads to access Azure resources securely using pod-managed identities.

Implementation Steps:

1. Enable Managed Identity on the Azure resource (e.g., VM, App Service, Function App).
2. Assign appropriate Azure RBAC (Role-Based Access Control) roles to grant the resource access.
3. Use Entra authentication SDKs (Azure Identity library) to acquire tokens and authenticate.

Example authentication in Python:

from azure.identity import ManagedIdentityCredential
from azure.keyvault.secrets import SecretClient

credential = ManagedIdentityCredential()
keyvault_client = SecretClient(vault_url="https://your-keyvault.vault.azure.net", credential=credential)

Service Principals for Application Authentication

Service Principals act as non-human identities for applications, enabling secure authentication to Azure services.

Use Cases:

• CI/CD Pipelines: Authenticate to Azure DevOps or GitHub Actions for deploying infrastructure securely.
• Cross-Tenant Authentication: Provide controlled access between services across Azure tenants.
• Programmatic Access: Secure applications communicating with Azure APIs.

Implementation Steps:

1. Register an App in Entra ID to create a Service Principal.
2. Assign necessary permissions via Azure RBAC.
3. Authenticate using a client ID and certificate-based authentication (avoiding client secrets when possible).

Example authentication in Node.js:

const { ClientSecretCredential } = require("@azure/identity");
const { BlobServiceClient } = require("@azure/storage-blob");

// Define authentication credentials
const tenantId = "your-tenant-id";
const clientId = "your-client-id";
const clientSecret = "your-client-secret";

// Create a credential instance
const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);

// Azure Storage Account URL
const storageAccountName = "your-storage-account-name";
const blobServiceClient = new BlobServiceClient(
    `https://${storageAccountName}.blob.core.windows.net`,
    credential
);

async function listContainers() {
    try {
        console.log("Listing containers:");
        for await (const container of blobServiceClient.listContainers()) {
            console.log(`- ${container.name}`);
        }
    } catch (error) {
        console.error("Error listing containers:", error);
    }
}

listContainers();

Federated Identity Credentials for Workload Identity

Microsoft Entra supports federated credentials to allow workloads (such as GitHub Actions, Kubernetes pods, or external applications) to authenticate to Azure resources without needing secrets.

Use Cases:

• GitHub Actions Workflows: Securely deploy Azure resources without storing secrets.
• External Identity Providers (OIDC): Authenticate workloads using federated identities instead of passwords.

Implementation Steps:

1. Configure a Federated Credential in Microsoft Entra ID.
2. Assign permissions via Azure RBAC.
3. Use OIDC authentication to obtain an Entra access token.

By leveraging federated identity credentials, enterprises can significantly enhance security while simplifying access management for workloads. This method eliminates the risk of hardcoded secrets, reduces administrative overhead, and enables seamless integration with modern cloud-native workflows. As security threats continue to evolve, federated authentication ensures that workloads operate in a highly secure, scalable, and compliant manner.

Conditional Access and Policy Enforcement

One of the most powerful features of Microsoft Entra is its ability to enforce Conditional Access Policies that dynamically adapt to security risks. Enterprises can define and enforce access controls based on factors such as user identity, device compliance, location, and real-time risk assessment. This ensures that only authorized users gain access under secure conditions, significantly reducing the risk of unauthorized access and credential compromise.

By using Microsoft Entra, enterprises can enforce security policies such as:

• Multi-Factor Authentication (MFA) for added security.
• Conditional Access Policies to restrict access based on risk factors.
• Token Lifetime Policies to limit session durations.

By leveraging Conditional Access, enterprises can take a proactive approach to security, ensuring that access to sensitive resources is always evaluated against risk signals. This strategic security measure not only safeguards data but also provides users with a frictionless authentication experience that balances protection with productivity.

Key Benefits of Entra Authentication

Adopting Microsoft Entra authentication offers a multitude of advantages beyond just eliminating passwords and API keys. By leveraging identity-based authentication, enterprises can significantly enhance security, streamline access management, and reduce operational complexity. This modern approach to authentication aligns with best practices for securing cloud environments while ensuring scalability and ease of use.

• No Credential Storage: No need to store or rotate API keys or passwords.
• Automatic Identity Lifecycle Management: Azure manages credentials, reducing administrative overhead.
• Granular Role-Based Access: Enforces least-privilege access across services.
• Strong Security Posture: Short-lived tokens minimize the risk of credential leaks.
• Seamless Integration: Works across Azure services, CI/CD pipelines, and third-party platforms.

By embracing Entra authentication, businesses can future-proof their security infrastructure, reduce operational overhead, and ensure compliance with industry standards. The shift to passwordless authentication not only mitigates the risks associated with credential leaks but also enhances user experience and access management efficiency.

Conclusion

The future of authentication is passwordless. The shift away from passwords and API keys is no longer an idea for the future. This is a necessity for enterprises looking to adopt a stronger security posture. With cyber threats increasing at an alarming rate, Microsoft’s push towards Microsoft Entra ID authentication is a game-changer for organizations seeking to secure their workloads and applications in Azure.

By adopting Managed Identities, Service Principals, and Federated Identity Credentials, enterprises can eliminate static credentials, reduce attack surfaces, and enforce robust access controls. This transition not only mitigates the risks associated with credential leaks but also simplifies identity management, ensuring seamless and scalable authentication across cloud environments.

Enterprises that embrace Microsoft Entra authentication today will not only strengthen their security posture but also position themselves for a more resilient and efficient digital future. Now is the time to ditch passwords for good and adopt a security-first approach with Entra ID.

For enterprises still relying on traditional secrets, now is the time to modernize authentication strategies and embrace passwordless security with Microsoft Entra!

Original Article Source: Microsoft Says “Ditch Passwords & Keys”, Use Entra ID Authentication Instead written by Chris Pietschmann (If you're reading this somewhere other than Build5Nines.com, it was republished without permission.)