After Lab 1.1 — Recap
After Lab 1.1 — Recap
In Lab 1.1, you inspected the Azure environment and looked at identities, roles and scopes.
The main question was:
Does any identity in this resource group have more access than it needs?
What you should have discovered
The backend application has a managed identity.
This is a workload identity, not a human identity.
You should also have found which roles are assigned to that identity.
The important finding is that the backend identity has a broad role assignment.
Example:
Identity: Backend managed identity
Role: Contributor
Scope: Resource groupScreenshot suggestion
Add a screenshot of the role assignments for the resource group.
Suggested screenshot:
Azure Portal → Resource Group → Access control (IAM) → Role assignmentsHighlight the backend managed identity and its role.
Alternative CLI screenshot:
az role assignment list \
--resource-group <RESOURCE_GROUP_NAME> \
--output tableWhy this matters
A backend application usually does not need to manage an entire resource group.
If the backend only needs to read one secret or access one specific service, then Contributor at resource group scope is too broad.
The risk is the combination of:
workload identity
+ powerful role
+ broad scopeHuman identity versus workload identity
A human identity belongs to a person.
A workload identity belongs to software.
| Type | Example | Risk |
|---|---|---|
| Human identity | Developer account | Misuse by user or stolen account |
| Workload identity | App Service managed identity | Misuse through vulnerable application |
A workload identity is not interactive like a user account, but it can still be very powerful.
If an attacker controls the workload, they may be able to use the workload identity.
Main takeaway
Key takeaway
A managed identity is useful, but it still needs carefully scoped permissions.
The problem is not that the backend has an identity.
The problem is that the identity has more access than the backend probably needs.
Bridge to Lab 1.2
In the next lab, we test what this broad permission actually allows.
We will also see an important nuance:
Broad access is not always the same as correct access.