Public preview of Workload identity federation for Azure Pipelines

Azure Pipelines is introducing a public preview of workload identity federation for Azure service connections. This feature allows Pipeline tasks to authenticate using a federation subject, eliminating the need to store secrets and certificates in Azure service connections.

Key benefits of workload identity federation include simplified management, as there is no longer a need to generate, copy, and store secrets from service principals in Azure Entar ID to Azure DevOps. Additionally, secrets used in other authentication schemes of Azure service connections expire after a certain period, requiring the generation of new secrets and updates to the service connection.

There are two ways to take advantage of workload identity federation: converting existing Azure service connections based on secrets to the new scheme or using the new workload identity federation scheme when creating new Azure service connections. The latter method is recommended moving forward.

To convert a previously created Azure service connection, users can select the "Convert" action after selecting the connection. The conversion can be reverted by clicking the revert link on the service connection details page.

Creating a new Azure service connection with workload identity federation can be done by selecting "Workload identity federation (automatic)" in the Azure service connection creation experience. Alternatively, users can create an Azure service connection manually with either a Service Principal or Managed Identity.

Support for workload identity federation with inline authentication is provided through the AzureCLI@2 task, which allows access to the federated token used during authentication.

The Terraform DevLabs and Azure Pipelines Terraform Tasks extensions have been updated to support workload identity federation. Terraform users can refer to a walkthrough on the Tech Community that utilizes the Azure-Samples/azure-devops-terraform-oidc-ci-cd repository to create and use Azure service connections with Terraform.

Note that workload identity federation is currently only supported for Azure service connections.

For more details and documentation, please see the official announcement.