Ditch Passwords in Azure: Entra ID Tokens, Managed Identities & How Real Apps Secure Everything

Ditch Passwords in Azure: Entra ID Tokens, Managed Identities & How Real Apps Secure Everything

Passwordless Azure security, Entra ID, managed identities and access tokens – this episode is for people searching “ditch passwords Azure apps”, “managed identity vs secrets”, “Entra ID app authentication”, “token‑based security Azure”, “service identity best practices” or “secrets in appsettings.json risk”. If your apps still hide usernames and passwords in configs, Key Vault or Git history, this conversation shows how real‑world Azure apps swap credentials for tokens, shrink blast radius and stop living one leaked secret away from an incident.

We start with the “doormat key” problem: hard‑coded credentials in web.config, appsettings.json, scripts and pipelines. You’ll hear why secrets never stay in one place—how they spread across dev, test, backups, laptops and screenshots—and why treating passwords as “internal” is just slow‑motion public exposure. We talk through real patterns of secret sprawl (Git repos, logs, zipped backups, contractor access) and why “just this once for speed” turns into years of brittle, unrotated keys guarding your most sensitive resources.

Then we flip the script and make the case for tokens. We break down how Entra ID issues scoped, short‑lived access tokens, why that beats static credentials every time, and how Microsoft identity libraries handle acquisition and refresh so you don’t have to hand‑roll OAuth logic. Tokens act like time‑boxed guest passes instead of master keys: tightly scoped, self‑expiring, full of claims your APIs can inspect to enforce least privilege instead of trusting “whoever has the connection string”. You’ll hear practical examples of how tokens turn what would have been a full‑blown breach into a limited annoyance because the scope and lifetime are controlled by design.

From there, we introduce managed identities as “service principals, but less dumb.” Instead of generating client secrets and chasing expiry dates, your app gets a first‑class identity automatically managed by Azure, which it uses to request tokens for Storage, SQL, Key Vault and more—no secrets, no manual rotation, no config files stuffed with skeleton keys. We walk through how system‑assigned and user‑assigned managed identities work, how to wire them into your code, what changes in your connection patterns, and how this simplifies both security and operations for real Azure workloads.

WHAT YOU WILL LEARN
  • Why hard‑coded credentials and “internal only” secrets in configs are guaranteed to leak over time.
  • How secret sprawl across repos, logs, backups and laptops creates a buffet for attackers.
  • How Entra ID issues scoped, short‑lived tokens that beat static passwords every time.
  • How Microsoft identity libraries handle token acquisition and refresh so you don’t.
  • Why tokens turn master keys into time‑boxed guest passes with limited blast radius.
  • How managed identities replace service principal secrets with built‑in, managed app identities.
  • Practical patterns for connecting apps to Azure services using tokens instead of passwords.
  • A realistic path to migrate away from connection strings with credentials to modern, token‑based auth.
THE CORE INSIGHT

The core insight of this episode is that you don’t secure Azure apps by hiding passwords better—you secure them by eliminating passwords altogether. Once you move to Entra‑issued tokens and managed identities, your apps stop hoarding skeleton keys and start using scoped, short‑lived access that auto‑heals when something leaks, making both your security posture and your operations radically easier to live with.

WHO THIS IS FOR
  • Cloud and application developers building on Azure today.
  • Security and identity engineers fighting secret sprawl across code and pipelines.
  • DevOps teams maintaining connection strings and service principals with expiring secrets.
  • Architects designing Zero Trust‑aligned app authentication patterns in Azure.
  • Anyone who has ever checked a secret into Git “just this once” and regretted it later.
ABOUT THE HOST

Mirko Peters is a Microsoft 365 consultant and host of M365.FM, where he explores modern work, security and productivity with Microsoft 365, Azure and Entra ID. He helps teams replace legacy, password‑centric designs with token‑ and identity‑driven architectures that are easier to operate, easier to audit and far harder for attackers to turn into headline incidents.

Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.

Denne episoden er hentet fra en åpen RSS-feed og er ikke publisert av Podme. Den kan derfor inneholde annonser.

Episoder(801)

Azure Storage Accounts - Simply Explained

Azure Storage Accounts - Simply Explained

An Azure Storage Account is the foundation of Microsoft's cloud storage platform and acts as a single container that brings together multiple storage services under one roof. Rather than creating sepa...

18 Jul 13min

Azure DDoS Protection - Simply Explained

Azure DDoS Protection - Simply Explained

Azure DDoS Protection is Microsoft's managed service for defending internet-facing applications against Distributed Denial-of-Service (DDoS) attacks. These attacks attempt to overwhelm websites, APIs,...

18 Jul 16min

Azure Network Security Groups - Simply Explained

Azure Network Security Groups - Simply Explained

Azure DDoS Protection is Microsoft's managed service for defending internet-facing applications against Distributed Denial-of-Service (DDoS) attacks. These attacks attempt to overwhelm websites, APIs,...

18 Jul 14min

Azure Virtual Network - Simply Explained

Azure Virtual Network - Simply Explained

An Azure Virtual Network (VNet) is your own private network inside Microsoft Azure. It provides the secure foundation for virtually every cloud workload you deploy, including virtual machines, databas...

18 Jul 17min

Azure Private Link - Simply Explained

Azure Private Link - Simply Explained

Azure Private Link is Microsoft's networking service that enables secure, private connectivity between your Azure Virtual Network and Azure Platform-as-a-Service (PaaS) resources such as Azure Storage...

18 Jul 16min

Azure Traffic Manager - Simply Explained

Azure Traffic Manager - Simply Explained

Azure Traffic Manager is Microsoft's global DNS-based traffic distribution service that directs users to the most appropriate application endpoint anywhere in the world. Instead of sending every user ...

18 Jul 16min

Azure DNS - Simply Explained

Azure DNS - Simply Explained

Azure DNS is Microsoft's fully managed Domain Name System (DNS) hosting service that translates human-friendly domain names like contoso.com into the IP addresses computers use to communicate. Instead...

18 Jul 15min

MCP (Model Context Protocol) - Simply Explained

MCP (Model Context Protocol) - Simply Explained

The Model Context Protocol (MCP) is an open standard that allows AI models to securely connect to external tools, applications, and data sources using a single, consistent protocol. Before MCP, every ...

17 Jul 15min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
aftenpodden-usa
fotballpodden-2
forklart
stopp-verden
popradet
rss-gukild-johaug
det-store-bildet
hanna-de-heldige
rss-ness
aftenbla-bla
nokon-ma-ga
dine-penger-pengeradet
rss-penger-polser-og-politikk
bt-dokumentar-2
lydartikler-fra-aftenposten
rss-utenrikskomiteen-med-bogen-og-grasvik
e24-podden
unitedno