Workload identity federation is an industry term & technology leveraging Open ID Connect (OIDC) to authenticate using client assertions. Instead of secrets, a federation subject is used. This eliminates the need to manage and rotate secrets. See Entra doc page for more detail.
Service Principal with secret | Agent-assigned Managed Identity | Service Principal or Managed Identity with federation | |
---|---|---|---|
Secret-free | No | Yes | Yes |
Constrains usage to | Service Connection only | Any process on the agent | Service Connection only |
Works universally (Microsoft-hosted, Self-hosted, on prem) | Yes | No | Yes |
Pipeline author-time Azure resource experience | Yes | No | Yes |
Currently, the Azure (ARM) Service Connection has been updated with an additional scheme to support Workload identity federation. This allows Pipeline tasks that use the Azure Service Connection to authenticate using a federation subject (sc://<org>/<project>/<service connection name>
).
If not yet enabled, the preview needs to be enabled at organization level:
Make sure users in your organization are aware this is a preview feature.
Workload identity federation can be configured in 2 ways: