Restrict using Azure Service Principal by Humans

azure azure-active-directory spn

If a user get's hold of the credentials for a service principal then they will be able to login with it, there's no way to stop that. The solution to your problem is to make it difficult for users to get the credentials.

One way to do this is to use certificates to login as a SP, rather than a password. If you create the SP and only assign a certificate to it, then the user will need the private key to be able to login. If you then make sure that this private key is only installed on your automation servers, and the users have no access to this then they will have difficulty using this.

Alternatively, you can use managed identity rather than service principals. Assign the MI to your automation machines, ensure they users don't have access to this.

Related

Setting CPU frequency to hardware minimum limit - will it harm the hardware?
How to *actually* exclude a directory in AWS S3 sync?
Strange behaviour with numbers that have a leading zero [duplicate]
More efficient way for pausing loop wanted
How can I preserve the search filters in jqGrid on page reload?
replacing glReadPixels with EGL_KHR_image_base for faster pixel copy
Is it possible to add Legend to the plot in JFreeChart?
C++ integer overflow
Generate 16-bit grayscale BitmapData and save to file
How to set icon in a column of JTable?
Handling extra operators in Shunting-yard
Converting ASP.NET MVC Razor @helper function into a method of a helper class