Ask an MSP how many users are in a client tenant and they can tell you. Ask for an NHI inventory—service principals, managed identities, OAuth apps—and whether any are over-privileged or dormant, and the room goes quiet. Microsoft just made that silence harder to justify.
Three updates landed last week. Each is useful on its own. Together they point to a gap most MSPs haven’t addressed. Defender now provides non-human identity inventory with risk scoring, unused-identity detection, and automated governance policies. Entra ID’s unified identity risk score pulls in NHI telemetry alongside user signals, and a new least-privilege SOC RBAC role tightens the investigation perimeter. Sentinel added ASIM schemas for Asset Entities and AI Agent Events—the parsers that make NHI telemetry queryable across vendors without manual log normalization.
Non-human doesn’t mean low-risk
Service principals outnumber user accounts in most tenants. The one created for a trial integration three years ago still has persistent permissions because nobody decommissions NHIs. OAuth apps granted broad consent by a former admin continue operating with no owner tracking. Add AI agents—Copilot extensions, Logic Apps, third-party connectors—and you have identities generating high-velocity, autonomous traffic that user-centric monitoring was never designed to see.
When attackers use generative AI to automate credential theft, ungoverned NHIs are the path of least resistance. There is no MFA prompt to fail. No user to notice a suspicious sign-in. The identity was built to authenticate without a human in the loop. Compromise it and you bypass every user-facing control in the stack.
The tooling is here
Defender’s NHI protection module—still rolling out to tenants—gives you a unified inventory of service principals, managed identities, and OAuth apps. It assigns risk scores, flags unused identities, and supports governance policies that auto-remediate. Over-privileged service principal? Policy revokes the excess. Dormant OAuth app with active consent? Policy removes it.
On the Entra ID side, the unified identity risk score now includes NHI signals. A service principal with anomalous sign-in patterns raises its risk the same way a user account would. Combined with the new least-privilege SOC role—read-only on identity data, no tenant admin exposure—you can hand investigation access to tier-1 analysts without expanding the blast radius.
Sentinel’s ASIM updates are what make this operational. The new AI Agent Events schema normalizes telemetry from autonomous workflows that traditional user-focused detections ignore. Without these parsers deployed, an AI agent compromise won’t trigger your rules because the log format doesn’t match your user-centric queries. The ProcessEvent parser breaking change is a maintenance item—annoying but worth it to close the detection gap.
NHI governance as a recurring service
This is not a one-time project. Quarterly NHI audits—inventory, risk review, policy gap analysis—slot naturally into existing managed security engagements. Monthly governance enforcement—auto-expiring unused service principals, revoking dormant OAuth app consents, enforcing least-privilege on new NHI creation—is operations work that scales across tenants using the policy engine Defender now provides.
SOC integration means normalizing NHI telemetry through ASIM, building detection rules that correlate NHI auth anomalies with endpoint behavior, and adding NHI compromise scenarios to incident response playbooks. The parts exist. Most clients won’t ask for NHI governance because they don’t know to ask. That’s the service.
Start here
Run Defender’s NHI inventory on one client tenant this week. Count the dormant service principals and over-privileged OAuth apps. The number will justify the conversation. Deploy the new ASIM parsers in Sentinel—start with the AI Agent Events schema if you have Copilot or automation workloads running. Build one cross-platform detection rule that correlates an NHI authentication anomaly with an endpoint alert. That single rule is the proof point for a broader NHI governance engagement.
Sources
- Securing the Invisible Workforce — Non-Human Identity Protection in Microsoft Defender
- AI is accelerating cyberattacks—here’s how to stay ahead
- Introducing New Additions to Microsoft Sentinel Normalization and ASIM
