Share via

az identity federated-credential

Manage federated identity credentials under user assigned identities.

Commands

Name Description Type Status
az identity federated-credential create

Create a federated identity credential under an existing user assigned identity.

 Core GA
az identity federated-credential delete

Delete a federated identity credential under an existing user assigned identity.

 Core GA
az identity federated-credential list

List all federated identity credentials under an existing user assigned identity.

 Core GA
az identity federated-credential show

Show a federated identity credential under an existing user assigned identity.

 Core GA
az identity federated-credential update

Update a federated identity credential under an existing user assigned identity.

 Core GA

az identity federated-credential create

Edit

Create a federated identity credential under an existing user assigned identity.

az identity federated-credential create --identity-name
                                        --name
                                        --resource-group
                                        [--audiences]
                                        [--claims-matching-expression-value --cme-value]
                                        [--claims-matching-expression-version --cme-version]
                                        [--issuer]
                                        [--subject]

Examples

Create a federated identity credential under a specific user assigned identity using subject.

az identity federated-credential create --name myFicName --identity-name myIdentityName --resource-group myResourceGroup --issuer myIssuer --subject mySubject --audiences myAudiences

Create a federated identity credential under a specific user assigned identity using claimsMatchingExpression.

az identity federated-credential create --name myFicName --identity-name myIdentityName --resource-group myResourceGroup --issuer myIssuer --claims-matching-expression-version 1 --claims-matching-expression-value "claims['sub'] eq 'foo'" --audiences myAudiences

Required Parameters

--identity-name

The name of the identity resource.

--name -n

The name of the federated identity credential resource.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--audiences

The aud value in the token sent to Azure for getting the user-assigned managed identity token. The value configured in the federated credential and the one in the incoming token must exactly match for Azure to issue the access token. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Properties Arguments
Default value: ['api://AzureADTokenExchange']
--claims-matching-expression-value --cme-value
Preview

The wildcard-based expression for matching incoming claims. Cannot be used with --subject.

Property Value
Parameter group: ClaimsMatchingExpression Arguments
--claims-matching-expression-version --cme-version
Preview

Specifies the version of the claims matching expression used in the expression.

Property Value
Parameter group: ClaimsMatchingExpression Arguments
--issuer

The openId connect metadata URL of the issuer of the identity provider that Azure AD would use in the token exchange protocol for validating tokens before issuing a token as the user-assigned managed identity.

Property Value
Parameter group: Properties Arguments
--subject

The sub value in the token sent to Azure AD for getting the user-assigned managed identity token. The value configured in the federated credential and the one in the incoming token must exactly match for Azure AD to issue the access token. Either 'subject' or 'claimsMatchingExpression' must be defined, but not both.

Property Value
Parameter group: Properties Arguments
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az identity federated-credential delete

Edit

Delete a federated identity credential under an existing user assigned identity.

az identity federated-credential delete --identity-name
                                        --name
                                        --resource-group
                                        [--yes]

Examples

Delete a federated identity credential under a specific user assigned identity.

az identity federated-credential delete --name myFicName --identity-name myIdentityName --resource-group myResourceGroup

Required Parameters

--identity-name

The name of the identity resource.

--name -n

The name of the federated identity credential resource.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--yes -y

Do not prompt for confirmation.

Property Value
Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az identity federated-credential list

Edit

List all federated identity credentials under an existing user assigned identity.

az identity federated-credential list --identity-name
                                      --resource-group
                                      [--max-items]
                                      [--next-token]
                                      [--skiptoken]
                                      [--top]

Examples

List all federated identity credentials under an existing user assigned identity.

az identity federated-credential list --identity-name myIdentityName --resource-group myResourceGroup

Required Parameters

--identity-name

The name of the identity resource.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--max-items

Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token argument of a subsequent command.

Property Value
Parameter group: Pagination Arguments
--next-token

Token to specify where to start paginating. This is the token value from a previously truncated response.

Property Value
Parameter group: Pagination Arguments
--skiptoken

A skip token is used to continue retrieving items after an operation returns a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skipToken parameter that specifies a starting point to use for subsequent calls.

--top

Number of records to return.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az identity federated-credential show

Edit

Show a federated identity credential under an existing user assigned identity.

az identity federated-credential show --identity-name
                                      --name
                                      --resource-group

Examples

Show a federated identity credential under a specific user assigned identity.

az identity federated-credential show --name myFicName --identity-name myIdentityName --resource-group myResourceGroup

Required Parameters

--identity-name

The name of the identity resource.

--name -n

The name of the federated identity credential resource.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az identity federated-credential update

Edit

Update a federated identity credential under an existing user assigned identity.

az identity federated-credential update --identity-name
                                        --name
                                        --resource-group
                                        [--add]
                                        [--audiences]
                                        [--claims-matching-expression-value --cme-value]
                                        [--claims-matching-expression-version --cme-version]
                                        [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                        [--issuer]
                                        [--remove]
                                        [--set]
                                        [--subject]

Examples

Update a federated identity credential under a specific user assigned identity using subject.

az identity federated-credential update --identity-name myIdentityName --name myFicName --resource-group myResourceGroup --issuer myIssuer --subject mySubject --audiences myAudiences

Update a federated identity credential under a specific user assigned identity using claimsMatchingExpression.

az identity federated-credential update --identity-name myIdentityName --name myFicName --resource-group myResourceGroup --issuer myIssuer --claims-matching-expression-version 1 --claims-matching-expression-value "claims['sub'] eq 'foo'" --audiences myAudiences

Required Parameters

--identity-name

The name of the identity resource.

--name -n

The name of the federated identity credential resource.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

Property Value
Parameter group: Generic Update Arguments
--audiences

The aud value in the token sent to Azure for getting the user-assigned managed identity token. The value configured in the federated credential and the one in the incoming token must exactly match for Azure to issue the access token. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Properties Arguments
--claims-matching-expression-value --cme-value
Preview

The wildcard-based expression for matching incoming claims. Cannot be used with --subject.

Property Value
Parameter group: ClaimsMatchingExpression Arguments
--claims-matching-expression-version --cme-version
Preview

Specifies the version of the claims matching expression used in the expression.

Property Value
Parameter group: ClaimsMatchingExpression Arguments
--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Property Value
Parameter group: Generic Update Arguments
Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--issuer

The openId connect metadata URL of the issuer of the identity provider that Azure AD would use in the token exchange protocol for validating tokens before issuing a token as the user-assigned managed identity.

Property Value
Parameter group: Properties Arguments
--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

Property Value
Parameter group: Generic Update Arguments
--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

Property Value
Parameter group: Generic Update Arguments
--subject

The sub value in the token sent to Azure AD for getting the user-assigned managed identity token. The value configured in the federated credential and the one in the incoming token must exactly match for Azure AD to issue the access token. Either 'subject' or 'claimsMatchingExpression' must be defined, but not both.

Property Value
Parameter group: Properties Arguments
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False