Video Snapshot: Why Non-Human Identities Matter
In a recent YouTube episode hosted by Merill Fernando, security expert Erika Zelic exposes the growing risk of what she calls Shadow Admins — non-human identities inside Microsoft Entra tenants that can hold excessive privileges without human oversight. The conversation frames these actors as a mixture of legacy service principals, modern app registrations, and a new class of agent identities that increasingly act autonomously. Together, Fernando and Zelic argue that many organizations lack visibility into these identities and therefore underestimate the attack surface that automation and AI introduce. Consequently, the episode serves as a practical wake-up call for administrators and security teams.
Hidden Permissions and the Most Dangerous Access
Erika details how both application-level and delegated API permissions can become de facto admin privileges when they are left unchecked, and she warns that some permissions are particularly dangerous in practice. For example, access like Files.ReadWrite.All or Sites.FullControl.All can let an attacker read, modify, or delete broad swaths of content across an organization, so these scopes deserve immediate attention. Moreover, she explains that permission sprawl often grows quietly as teams add integrations and forget to remove or refine access later, which makes discovery urgent. Therefore, identifying and prioritizing these high-risk permissions is an early and effective step toward containment.
A Real-World Attack: How Secrets in Email Led to Full Compromise
The episode recounts the Midnight Blizzard incident to illustrate how buried secrets can escalate into tenant-wide compromise, and the example makes the threat tangible. In that case, credentials and API keys stored in places like email or old configuration files were discovered and abused, enabling lateral movement and privilege escalation across services. Zelic emphasizes that credential sprawl — the proliferation of unmanaged secrets — remains one of the most common failure modes in cloud security. As a result, teams must treat secret hygiene and lifecycle management as first-class security responsibilities.
Managed Identities, Agent IDs, and the Tradeoffs
Fernando and Zelic make a strong case for moving toward managed identities to remove static credentials from code, because managed identities let the platform handle token issuance and rotation automatically. However, they also discuss tradeoffs: while managed identities reduce secret exposure, they can complicate operational workflows if teams lack mature automation and monitoring. The introduction of Entra Agent ID helps by classifying AI and agent actors distinctly, improving inventory and policy targeting, but it introduces governance complexity that organizations must budget time and tooling to manage. Consequently, adopting these modern identity types delivers security benefits but requires investment in processes and visibility tools.
Ownership Models: Sponsor vs Owner and Why It Matters
Another important theme is the difference between assigning an owner to an app and assigning a sponsor, with Fernando and Zelic arguing that sponsorship reduces risk while preserving necessary support. Specifically, an owner typically has broad rights to change app configuration and to add or remove other owners, which attackers can exploit for lateral movement. In contrast, a sponsor model delegates oversight and renewal responsibilities without granting full control, so it balances operational needs with tighter security constraints. Thus, changing ownership patterns can reduce attack paths, although it requires cultural and procedural shifts.
Controls, Deadlines, and Operational Challenges
The hosts also cover practical mitigations such as vaulting secrets, enforcing conditional access on workload identities, and automating lifecycle retirement when an agent is decommissioned. They acknowledge, however, that stricter controls can create friction: aggressive conditional access policies may block legitimate automation, and vaulting requires teams to rewrite deployment pipelines. Additionally, looming protocol retirements like EWS and ID CRL force timelines that can collide with busy operations calendars, increasing the risk of rushed, insecure workarounds. Therefore, the recommended approach is incremental enforcement paired with robust testing and stakeholder communication.
Balancing Zero Trust with Everyday Support
Finally, Fernando and Zelic argue for a pragmatic path from Zero Trust ideals to what they call “hero trust” without overburdening help desks or developers, and they outline how to do this. For instance, rolling out managed device requirements and scoped conditional access can improve security while minimizing user disruption if teams phase changes and provide clear remediation paths. Furthermore, investing in discovery tools and clear ownership models pays off by reducing incident response time and preventing attacker persistence. In short, the balance between strict security controls and operational agility is attainable but requires governance, tooling, and consistent communication.
Overall, the YouTube discussion led by Merill Fernando with Erika Zelic provides a clear, actionable roadmap for addressing Shadow Admins in Entra tenants, highlighting discovery, vaulting, ownership models, and the careful application of conditional access. As the landscape moves toward more autonomous agents, the episode makes it clear that organizations must prioritize visibility and lifecycle management to prevent non-human identities from becoming the weakest link. Finally, the conversation stresses that sensible tradeoffs and phased implementation will help teams tighten security without breaking critical workflows.
