{"id":2247,"date":"2024-12-18T09:23:52","date_gmt":"2024-12-18T17:23:52","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/identity\/?p=2247"},"modified":"2024-12-18T09:23:52","modified_gmt":"2024-12-18T17:23:52","slug":"access-cloud-resources-across-tenants-without-secrets","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/identity\/access-cloud-resources-across-tenants-without-secrets\/","title":{"rendered":"Effortlessly access cloud resources across Azure tenants without using secrets"},"content":{"rendered":"<p>Today, we&#8217;re announcing the Public Preview of Managed Identities as Federated Identity Credentials for Microsoft Entra. Securely access Entra-protected resources like Microsoft Azure, Microsoft Graph, and third-party APIs using a <a href=\"https:\/\/learn.microsoft.com\/entra\/architecture\/service-accounts-managed-identities\">managed identity<\/a> instead of a <a href=\"https:\/\/devblogs.microsoft.com\/identity\/public-v-confidential-clients\/#secrets-and-their-importance-in-proving-identity\">secret<\/a> or certificate.<\/p>\n<h4>Key benefits:<\/h4>\n<ul>\n<li><strong>Improved security:<\/strong> Eliminating the use of secrets and certificates in app authentication reduces the risk of credential leaks.<\/li>\n<li><strong>Simplified setup:<\/strong> Using a managed identity as a federated identity credential (FIC) provides continuous access to resources without the need to manage secret and certificate expiration and renewal.<\/li>\n<\/ul>\n<h2>How it works<\/h2>\n<p>In addition to client secrets and certificates, apps today can use Federated Identity Credentials (FICs) to accept access tokens from trusted identity providers. This process, known as the <a href=\"https:\/\/learn.microsoft.com\/entra\/workload-id\/workload-identity-federation\">Workload Identity Federation<\/a> flow, supports tokens from GitHub, Kubernetes, and other third-party <a href=\"https:\/\/devblogs.microsoft.com\/identity\/openid-connect-external-identity-provider-support-public-preview\/\">OIDC<\/a> issuers. With this new capability, apps can also accept managed identity tokens issued by Microsoft Entra.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/12\/Add-a-credential-window-showing-Entra-as-an-issuer-and-a-managed-identity-in-the-subject.png\" alt=\"Add a credential window, showing Entra as an issuer and a managed identity in the subject\" \/><\/p>\n<p>Once configured, an app can exchange the managed identity token (<strong>(a)<\/strong> in the diagram) for an access token to access Microsoft Entra-protected resources (<strong>(b)<\/strong>), eliminating the need to manage app secrets or certificates.<\/p>\n<h2>Getting started<\/h2>\n<p>To begin, assign a <a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/managed-identities-azure-resources\/how-manage-user-assigned-managed-identities\">user-assigned managed identity<\/a> to the Azure resource (for example, VM, App Service) that is hosting your workload.<\/p>\n<p>Next, you need to make your app trust the managed identity.<\/p>\n<p>Navigate to your app registration in the <a href=\"https:\/\/entra.microsoft.com\/#view\/Microsoft_AAD_RegisteredApps\/ApplicationsListBlade\">Entra Portal<\/a> or <a href=\"https:\/\/portal.azure.com\/#view\/Microsoft_AAD_RegisteredApps\/ApplicationsListBlade\">Azure Portal<\/a>:<\/p>\n<ul>\n<li>Go to <strong>Certificates &amp; secrets<\/strong>.<\/li>\n<li>Select the <strong>Federated credentials<\/strong> tab.<\/li>\n<li>Click <strong>Add credential<\/strong> to begin configuring the federated identity credential. <\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/12\/Assign-a-user-assigned-managed-Identity-to-an-Azure-resource.png\" alt=\"Assign a user-assigned managed identity to an Azure resource\" \/><\/p>\n<p>In the Federated Credential form:<\/p>\n<ul>\n<li>Set the <strong>Scenario<\/strong> to &#8216;Other&#8217;.<\/li>\n<li>For <strong>Issuer<\/strong>, enter the OIDC issuer URL of your tenant (for example, &#8216;https:\/\/login.microsoftonline.com\/{tenantId}\/v2.0&#8217;).<\/li>\n<li>Set the <strong>Subject<\/strong> as the <strong>Object (Principal) ID<\/strong> of your Managed Identity. <\/li>\n<\/ul>\n<p>You can find the Object ID on the <strong>Overview<\/strong> page of the managed identity in the Azure Portal.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/12\/Federated-credential-Add-a-credential.png\" alt=\"Configuring a managed identity as a federated identity credential on an App\" \/><\/p>\n<h2>Token exchange and resource access through code<\/h2>\n<p>To obtain the app&#8217;s access token in your code, follow a two-step process:<\/p>\n<ul>\n<li>Get the managed identity token. <\/li>\n<li>Use the token as a client assertion to retrieve the access token. <\/li>\n<\/ul>\n<p>Below is an example in C# for accessing an Azure Storage account using the <a href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/api\/overview\/azure\/identity-readme?view=azure-dotnet\">Azure Identity library<\/a>:<\/p>\n<pre><code>static public async Task ListBlobs()\n{\n    \/\/ Storage account and container details\n    string accountName = \"your_storage_account_name\";\n    string containerName = \"your_container_name\";\n\n    \/\/ Entra ID (aka Azure AD) details\n    string tenantId = \"the_tenant_id_of_the_storage_account\"; \/\/ Where the resource exists. I.e, the tenant of the storage account.\n    string appClientId = \"your_app_client_id\"; \/\/ the client id of the app registration that has access to the storage account.\n    string managedIdentityClientId = \"your_managed_identity_client_id\"; \/\/ which was specified in the App's Federated Identity Credential\n    string audience = \"api:\/\/AzureADTokenExchange\"; \/\/ Must set audience to this value in public cloud workloads.\n\n    \/\/ Get the managed identity credential\n    var managedIdentityCredential = new ManagedIdentityCredential(managedIdentityClientId);\n\n    \/\/ Create a Client Assertion containing the Managed Identity access token\n    ClientAssertionCredential assertion = new(\n        tenantId,\n        appClientId, \n        async (token) =&gt;\n        {\n            \/\/ fetch Managed Identity token for the specified audience\n            var tokenRequestContext = new Azure.Core.TokenRequestContext(new[] { $\"{audience}\/.default\" });\n            var accessToken = await managedIdentityCredential.GetTokenAsync(tokenRequestContext).ConfigureAwait(false);\n            return accessToken.Token;\n        });\n\n    \/\/ Sending the assertion to the BlobContainerClient authenticates using the Federated Credential\n    BlobContainerClient containerClient = new BlobContainerClient(\n        new Uri($\"https:\/\/{accountName}.blob.core.windows.net\/{containerName}\"),\n        assertion);\n\n    \/\/ List all blobs in the container\n    await foreach (var blob in containerClient.GetBlobsAsync())\n    {\n        Console.WriteLine(containerClient.GetBlobClient(blob.Name).Uri);\n    }\n} \n<\/code><\/pre>\n<h2>Multi-tenant usage<\/h2>\n<p>To access resources in other tenants, use the same FIC configuration and ensure your <strong>App Registration<\/strong> is <strong>Multitenant<\/strong>. This allows admins of the remote resource tenant to add and provision your app into their tenant.<\/p>\n<p>For more details about app provisioning, see <a href=\"https:\/\/learn.microsoft.com\/entra\/identity-platform\/how-applications-are-added\">How and why applications are added to Microsoft Entra ID<\/a>.<\/p>\n<h2>Creating Managed Identity FICs on apps using Bicep<\/h2>\n<p>Automating the provisioning of a federated identity credential is fully supported using <a href=\"https:\/\/aka.ms\/graphbicep\">Bicep<\/a>. Below is an example of deploying an FIC using Bicep:<\/p>\n<pre><code>extension microsoftGraph\n\nresource myApp 'Microsoft.Graph\/applications@v1.0' = {\n  displayName: applicationDisplayName\n  uniqueName: applicationName\n\n  resource myMsiFic 'federatedIdentityCredentials@v1.0' = {\n    name: 'myAppName\/msiAsFic'\n    description: 'Trust the workload\\'s user-assigned MI as a credential for the app'\n    audiences: [\n       audiences[cloudEnvironment].uri\n    ]\n    issuer: '${environment().authentication.loginEndpoint}${tenant().tenantId}\/v2.0'\n    subject: '[YOUR-MANAGED-IDENTITY-PrincipalId]'\n  }\n}\n<\/code><\/pre>\n<h2>Next steps and recommendations<\/h2>\n<p>Customers using Microsoft Entra ID applications to authenticate users, access resources on behalf of users, or perform cross-tenant access can enhance their security by adopting managed identities as federated identity credentials. This approach is more secure and robust compared to managing secrets, rotating certificates, and handling multiple permission sets for apps and managed identities.<\/p>\n<p>To further explore this feature, please visit the <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/workload-id\/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center\">official public preview documentation<\/a>.<\/p>\n<h2>Stay connected and informed<\/h2>\n<p>To learn more or test out features in the Microsoft Entra portfolio, visit our\u202f<a href=\"https:\/\/developer.microsoft.com\/identity\/\">new developer center<\/a>. Make sure you subscribe to the\u202f<a href=\"https:\/\/www.youtube.com\/@MicrosoftSecurity\/playlists\">Identity blog<\/a>\u202ffor more insights and to keep up with the latest on all things Identity. And, follow us on\u202f<a href=\"https:\/\/www.youtube.com\/@MicrosoftSecurity\/playlists\">YouTube<\/a>\u202ffor video overviews, tutorials, and deep dives.\u202f<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Announcing the Public Preview of Managed Identities as Federated Identity Credentials for Microsoft Entra. Enhance security by removing secrets, simplify setup, and enable seamless cross-tenant access to Entra-protected resources like Azure and Microsoft Graph.<\/p>\n","protected":false},"author":178205,"featured_media":1486,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[32,33],"tags":[38,63,16,66,62],"class_list":["post-2247","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-product-updates","tag-authentication","tag-bicep","tag-entra","tag-identity-federation","tag-managed-identities"],"acf":[],"blog_post_summary":"<p>Announcing the Public Preview of Managed Identities as Federated Identity Credentials for Microsoft Entra. Enhance security by removing secrets, simplify setup, and enable seamless cross-tenant access to Entra-protected resources like Azure and Microsoft Graph.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/posts\/2247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/users\/178205"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/comments?post=2247"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/posts\/2247\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/media\/1486"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/media?parent=2247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/categories?post=2247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/tags?post=2247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}