Share via

Using Federated Credentials Instead of Secrets for Multi-Tenant Azure Resource Management

Christian Pedersen 0 Reputation points
2024-07-28T19:59:02.62+00:00

Hello,

I'm working on a project with the following setup:

  1. I have an application registered in Entra ID (formerly Azure AD).
  2. This application has been granted permissions to access resources in multiple tenants.
  3. The application is designed to manage subscriptions and resources across these different tenants.
  4. Currently, my Azure Function app uses a User-Assigned Managed Identity to retrieve a secret from Key Vault.
  5. This secret is then used to obtain a token for authenticating the application, allowing it to connect to other tenants and subscriptions.

My question is: Can I replace this secret-based authentication method with Federated Credentials?

Specifically, I'm wondering if it's possible to:

  1. Use Federated Credentials instead of a secret or certificate stored in Key Vault.
  2. Grant my User-Assigned Managed Identity the ability to use these Federated Credentials for the application.

I believe this approach would offer several advantages:

  • Eliminate the need to rotate keys or certificates in Key Vault.
  • Provide a more secure and manageable implementation.

Is this a feasible approach? If so, could you provide guidance on how to implement it? And what is the limitations of any apply?

Thank you for your help!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,117 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 10,320 Reputation points Microsoft Vendor
    2024-08-01T10:37:19.58+00:00

    Hi @Christian Pedersen

    Thank you for reaching us!

    Yes, you can allow other identities to impersonate to your application by establishing a trust with an external OpenID Connect (OIDC) identity provider. This federation allows you to get tokens to access Microsoft Entra ID and protected the resources.

    For more information, please refer Workload identity federation
    You can choose the federated credential scenario which is listed below
    User's image User's image

    The other side you can configure a user-assigned managed identity to trust an external identity provider

    Hope this information helps. please let us know if you any further queries.
    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.