Workload Identity Federation

In my latest post I explained how Workload Identity Federation works.

As many Azure services are getting support for Managed Identity, wouldn’t it be great if the that technology could be combined with workload identity federation? Luckily, that’s exactly what Microsoft has built.

To be more specific, there is support to use User Assigned Managed Identities with Workload Identity Federation.

What this means is that developers can create a User Assigned Managed Identity, a type of Azure resource. When the resource is deployed a managed App Registration in Azure AD is automatically created. In this case managed means there is no need to manage an application certificate or application secret. Such a User Assigned Managed Identity has the ability to configure the federated credentials information in it. Within the Azure portal there is a tab to configure the federated credentials.

Configure UAMI Federated Credentials within the Azure Portal
Configure UAMI Federated Credentials within the Azure Portal

This makes way for an end to end experience configuring CI/CD without the involvement of a central IT team. Developer teams are now fully enabled to configure their pipelines by themselves. It only takes a few minutes to deploy the Managed Identity and configure the federated credentials. The only thing remaining is giving the Managed Identity the (least privilege) permissions within Azure to be used by the CI/CD pipeline.


Developer teams are enabled to configure their pipelines by themselves which is a great productivity enhancement. No need for cumbersome processes involving ITSM cases and a long lead time. Besides that, it also much safer and business continuity is improved as there are no credentials to manage.

Ok. This makes sense, but how can Central IT or a CCoE have control over this new possibility? I’ll let you know in my next blog post.