Microsoft has announced the Public Preview of Managed Identities as Federated Identity Credentials (FICs) for Microsoft Entra.
The innovation aims to enhance security and simplify resource access across Azure tenants.
Traditionally, applications have relied on client secrets or certificates for authentication, which involves risks like credential leaks and the need for frequent renewal.
With the introduction of Managed Identities as FICs, apps can now accept managed identity tokens issued by Microsoft Entra.
This process leverages the Workload Identity Federation flow to authenticate apps using tokens from trusted identity providers like GitHub, Kubernetes, and other OpenID Connect (OIDC) issuers.
Once configured, an application can exchange a managed identity token for an access token to access resources protected by Microsoft Entra. This eliminates the need to manage app secrets or certificates manually.
Developers can configure this feature via the Azure Portal by adding a federated credential to their app registration and associating it with a user-assigned managed identity.
To begin using this feature, follow these steps:
- Assign a user-assigned managed identity to the Azure resource hosting your workload (e.g., Virtual Machine or App Service).
- Navigate to your app registration in the Microsoft Entra or Azure Portal.
- Under the “Certificates & secrets” section, select the “Federated credentials” tab and add a new credential.
- Configure the Federated Credential form:
- Set the scenario to “Other.”
- Enter your tenant’s OIDC issuer URL (e.g.,
https://login.microsoftonline.com/{tenantId}/v2.0). - Use the Object ID of your managed identity as the subject.
This setup ensures that your app trusts the managed identity for secure access.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free
Token Exchange and Multi-Tenant Usage
Developers can programmatically retrieve access tokens through a two-step process: obtaining a managed identity token and using it as a client assertion to fetch an access token for specific resources.
For example, in C#, developers can use the Azure Identity library to authenticate and interact with Azure Storage accounts securely.
Moreover, this feature supports multi-tenant usage. By configuring your app registration as multitenant, you can enable cross-tenant resource access.
Administrators from other tenants can provision your app into their environments, broadening its usability across organizations.
Next Steps and Recommendations
Microsoft recommends adopting Managed Identities as Federated Identity Credentials for applications using Microsoft Entra ID to authenticate users or perform cross-tenant operations.
This approach enhances security by eliminating secrets and certificates while streamlining resource access management.
For automation enthusiasts, provisioning federated identity credentials is supported through Bicep templates, enabling seamless deployment at scale.
This feature represents a significant step forward in simplifying secure application authentication in cloud environments.
Developers and organizations are encouraged to explore this capability during its public preview phase to strengthen their security posture while reducing operational complexity.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!