Workload identity federation - Microsoft Entra Workload ID (2024)

Table of Contents
In this article Why use workload identity federation? Supported scenarios How it works Next steps
  • Article

This article provides an overview of workload identity federation for software workloads. Using workload identity federation allows you to access Microsoft Entra protected resources without needing to manage secrets (for supported scenarios).

You can use workload identity federation in scenarios such as GitHub Actions, workloads running on Kubernetes, or workloads running in compute platforms outside of Azure.

See Also
What Is Federated Identity? | OktaWas ist eine Verbundidentität?  | OktaSecure your use of third party tools with identity federation | Google Cloud BlogErstellen einer Vertrauensstellung zwischen einer benutzerseitig zugewiesenen verwalteten Identität und einem externen Identitätsanbieter - Microsoft Entra Workload ID

Why use workload identity federation?

Watch this video to learn why you would use workload identity federation.

Typically, a software workload (such as an application, service, script, or container-based application) needs an identity in order to authenticate and access resources or communicate with other services. When these workloads run on Azure, you can use managed identities and the Azure platform manages the credentials for you. You can only use managed identities, however, for software workloads running in Azure. For a software workload running outside of Azure, you need to use application credentials (a secret or certificate) to access Microsoft Entra protected resources (such as Azure, Microsoft Graph, Microsoft 365, or third-party resources). These credentials pose a security risk and have to be stored securely and rotated regularly. You also run the risk of service downtime if the credentials expire.

You use workload identity federation to configure a user-assigned managed identity or app registration in Microsoft Entra ID to trust tokens from an external identity provider (IdP), such as GitHub or Google. The user-assigned managed identity or app registration in Microsoft Entra ID becomes an identity for software workloads running, for example, in on-premises Kubernetes or GitHub Actions workflows. Once that trust relationship is created, your external software workload exchanges trusted tokens from the external IdP for access tokens from Microsoft identity platform. Your software workload uses that access token to access the Microsoft Entra protected resources to which the workload has been granted access. You eliminate the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire.

Supported scenarios

The following scenarios are supported for accessing Microsoft Entra protected resources using workload identity federation:

  • Workloads running on any Kubernetes cluster (Azure Kubernetes Service (AKS), Amazon Web Services EKS, Google Kubernetes Engine (GKE), or on-premises). Establish a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and a Kubernetes workload (described in the workload identity overview).
  • GitHub Actions. First, configure a trust relationship between your user-assigned managed identity or application in Microsoft Entra ID and a GitHub repo in the Microsoft Entra admin center or using Microsoft Graph. Then configure a GitHub Actions workflow to get an access token from Microsoft identity provider and access Azure resources.
  • Google Cloud. First, configure a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and an identity in Google Cloud. Then configure your software workload running in Google Cloud to get an access token from Microsoft identity provider and access Microsoft Entra protected resources. See Access Microsoft Entra protected resources from an app in Google Cloud.
  • Workloads running in Amazon Web Services (AWS). First, configure a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and an identity in Amazon Cognito. Then configure your software workload running in AWS to get an access token from Microsoft identity provider and access Microsoft Entra protected resources. See Workload identity federation with AWS.
  • Other workloads running in compute platforms outside of Azure. Configure a trust relationship between your user-assigned managed identity or application in Microsoft Entra ID and the external IdP for your compute platform. You can use tokens issued by that platform to authenticate with Microsoft identity platform and call APIs in the Microsoft ecosystem. Use the client credentials flow to get an access token from Microsoft identity platform, passing in the identity provider's JWT instead of creating one yourself using a stored certificate.
  • SPIFFE and SPIRE are a set of platform agnostic, open-source standards for providing identities to your software workloads deployed across platforms and cloud vendors. First, configure a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and a SPIFFE ID for an external workload. Then configure your external software workload to get an access token from Microsoft identity provider and access Microsoft Entra protected resources. See Workload identity federation with SPIFFE and SPIRE.
  • Create a new service connection in Azure Pipelines (preview). Create an Azure Resource Manager service connection using workload identity federation.

Note

Microsoft Entra ID issued tokens may not be used for federated identity flows. The federated identity credentials flow does not support tokens issued by Microsoft Entra ID.

How it works

Create a trust relationship between the external IdP and a user-assigned managed identity or application in Microsoft Entra ID. The federated identity credential is used to indicate which token from the external IdP should be trusted by your application or managed identity. You configure a federated identity either:

  • On a user-assigned managed identity through the Microsoft Entra admin center, Azure CLI, Azure PowerShell, Azure SDK, and Azure Resource Manager (ARM) templates. The external workload uses the access token to access Microsoft Entra protected resources without needing to manage secrets (in supported scenarios). The steps for configuring the trust relationship differs, depending on the scenario and external IdP.
  • On an app registration in the Microsoft Entra admin center or through Microsoft Graph. This configuration allows you to get an access token for your application without needing to manage secrets outside Azure. For more information, learn how to configure an app to trust an external identity provider.

The workflow for exchanging an external token for an access token is the same, however, for all scenarios. The following diagram shows the general workflow of a workload exchanging an external token for an access token and then accessing Microsoft Entra protected resources.

Workload identity federation - Microsoft Entra Workload ID (1)

  1. The external workload (such as a GitHub Actions workflow) requests a token from the external IdP (such as GitHub).
  2. The external IdP issues a token to the external workload.
  3. The external workload (the sign in action in a GitHub workflow, for example) sends the token to Microsoft identity platform and requests an access token.
  4. Microsoft identity platform checks the trust relationship on the user-assigned managed identity or app registration and validates the external token against the OpenID Connect (OIDC) issuer URL on the external IdP.
  5. When the checks are satisfied, Microsoft identity platform issues an access token to the external workload.
  6. The external workload accesses Microsoft Entra protected resources using the access token from Microsoft identity platform. A GitHub Actions workflow, for example, uses the access token to publish a web app to Azure App Service.

The Microsoft identity platform stores only the first 100 signing keys when they're downloaded from the external IdP's OIDC endpoint. If the external IdP exposes more than 100 signing keys, you may experience errors when using workload identity federation.

Next steps

Learn more about how workload identity federation works:

  • How to create, delete, get, or update federated identity credentials on a user-assigned managed identity.
  • How to create, delete, get, or update federated identity credentials on an app registration.
  • Read the workload identity overview to learn how to configure a Kubernetes workload to get an access token from Microsoft identity provider and access Microsoft Entra protected resources.
  • Read the GitHub Actions documentation to learn more about configuring your GitHub Actions workflow to get an access token from Microsoft identity provider and access Microsoft Entra protected resources.
  • How Microsoft Entra ID uses the OAuth 2.0 client credentials grant and a client assertion issued by another IdP to get a token.
  • For information about the required format of JWTs created by external identity providers, read about the assertion format.
Workload identity federation - Microsoft Entra Workload ID (2024)
Top Articles
17 Surprising Recipes with Potato Flakes
Sautéed Mushrooms Recipe
Metra Union Pacific West Schedule
Inducement Small Bribe
Dlnet Retiree Login
His Lost Lycan Luna Chapter 5
Explore Tarot: Your Ultimate Tarot Cheat Sheet for Beginners
Overnight Cleaner Jobs
Wannaseemypixels
Kansas Craigslist Free Stuff
R Tiktoksweets
Where does insurance expense go in accounting?
Busted Newspaper S Randolph County Dirt The Press As Pawns
Craiglist Galveston
The Banshees Of Inisherin Showtimes Near Regal Thornton Place
Tcgplayer Store
Sound Of Freedom Showtimes Near Cinelux Almaden Cafe & Lounge
Missed Connections Inland Empire
Milanka Kudel Telegram
Craigslist Clinton Ar
Rust Belt Revival Auctions
Colonial Executive Park - CRE Consultants
Craigslist Dubuque Iowa Pets
4.231 Rounded To The Nearest Hundred
Cinema | Düsseldorfer Filmkunstkinos
Will there be a The Tower season 4? Latest news and speculation
Best Laundry Mat Near Me
Puffin Asmr Leak
Haunted Mansion Showtimes Near Cinemark Tinseltown Usa And Imax
Gasbuddy Lenoir Nc
Black Adam Showtimes Near Amc Deptford 8
Asian Grocery Williamsburg Va
20 Best Things to Do in Thousand Oaks, CA - Travel Lens
Google Flights Orlando
Restored Republic May 14 2023
Low Tide In Twilight Manga Chapter 53
Puretalkusa.com/Amac
Wilson Tattoo Shops
Seminary.churchofjesuschrist.org
Emily Tosta Butt
Inducement Small Bribe
LumiSpa iO Activating Cleanser kaufen | 19% Rabatt | NuSkin
Craigslist St Helens
Keci News
Kate Spade Outlet Altoona
Mountainstar Mychart Login
Mcoc Black Panther
Oefenpakket & Hoorcolleges Diagnostiek | WorldSupporter
6463896344
Diccionario De Los Sueños Misabueso
Game Like Tales Of Androgyny
Appsanywhere Mst
Latest Posts
19 Heath-Packed Gluten-Free Recipes You’ll Love to Make!
38 Paleo Diet Snack Recipes
Article information

Author: Trent Wehner

Last Updated:

Views: 6601

Rating: 4.6 / 5 (76 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Trent Wehner

Birthday: 1993-03-14

Address: 872 Kevin Squares, New Codyville, AK 01785-0416

Phone: +18698800304764

Job: Senior Farming Developer

Hobby: Paintball, Calligraphy, Hunting, Flying disc, Lapidary, Rafting, Inline skating

Introduction: My name is Trent Wehner, I am a talented, brainy, zealous, light, funny, gleaming, attractive person who loves writing and wants to share my knowledge and understanding with you.