Push for service principals over service accounts. Worth it?
Hello everyone,
After recent updates from Microsoft, service accounts now also need MFA (can't do MFA exemptions of for these accounts). As such security team in my place is pushing for service principals. My org is not heavy on Dataverse at present.
I understand that service accounts pose a much greater security liability as compared to service principals. But, service principals need workaround on several connectors used like SharePoint, Outlook etc. As a developer its easy to circumvent around this and use HTTP requests, but the citizen developers(within my org), not sure if they are technically sound to understand this work around.
Also the the need for additional bot licenses or pay as you go for automate flows running under service principal, like $150 per flow is too expensive... Even the $0.6 per flow run is expensive compared to just assigning premium license to a service account.
So how would you handle this or has similar thing happened in your organization? What are my probable alternatives? I did research on this topics before but at that point of time, MFA was still option and could be disabled for service accounts at tenant level, but its not an option anymore. Any thoughts on work around or insights is appreciated.
Thanks!