CA-12: Conditional Access for Workload Identities
Frequently asked questions about implementing and managing the CA-12 security control in Microsoft 365 and Entra ID.
QWhat is CA-12 (Conditional Access for Workload Identities)?▼
CA-12 is a security control that service principals authenticate without user interaction and often have broad permissions. without ca policies, a compromised service principal has unrestricted access. workload identity ca policies enable location-based and risk-based controls for non-human identities. It requires that a conditional access policy targets service principal authentication and high-risk workload identities are covered by risk-based policies, policy is in enforced (not report-only) state.
QWhy is Conditional Access for Workload Identities important for Microsoft 365 security?▼
Service principals authenticate without user interaction and often have broad permissions. Without CA policies, a compromised service principal has unrestricted access. Workload identity CA policies enable location-based and risk-based controls for non-human identities.
QHow do I implement CA-12 in my tenant?▼
TrueConfig provides one-click remediation for CA-12. Creates CA policy targeting workload identities in report-only mode. Requires Workload Identities Premium license.
QWhat license do I need for CA-12?▼
This control requires Azure AD Premium P1 (included in Microsoft 365 E3) or higher.
QWhich security baseline includes CA-12?▼
CA-12 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.
5
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial