Workload identity federation for Azure deployments now generally available

Azure has announced the general availability of workload identity federation for Azure deployments. This feature allows users to configure Azure service connections without the need for a secret, resulting in easier management and improved security.

Improved Security

Workload identity federation enforces strict constraints on how an identity can be used. The federation subject configured on the App Registration or Managed Identity can only be used in Azure DevOps by the service connection it is configured for. This provides a more secure solution compared to using a secret, which can be unintentionally leaked and used for other purposes.

No Expiring Secrets

With workload identity federation, the configuration of an Azure service connection is a one-time setup, eliminating the need to worry about expiring secrets that require rotation to keep the connection operational.

Getting Started

To take advantage of workload identity federation, you can create a new Azure service connection using the "Workload identity federation (automatic)" option in the Azure service connection creation experience. Additionally, previously created service connections with a secret can be converted to use workload identity federation by selecting the "Convert" action.

A script is also available to convert multiple service connections that use a secret to use workload identity federation instead.

With workload identity federation now generally available, Azure users can enjoy worry-free Azure service connections with improved security and simplified management.