|
| 1 | +# Day 77 - Connect to Microsoft Graph in Azure DevOps using Workload Identity Federation - Jan Vidar Elven |
| 2 | + |
| 3 | + |
| 4 | + |
| 5 | +This note accompanies my contribution for 2024 edition of 90DaysOfDevOps, which consists of: |
| 6 | + |
| 7 | +- A video: [Link coming..]() |
| 8 | +- A presentation deck for reference: [day77-Connect-to-Microsoft-APIs-in-Azure-DevOps-Pipelines-using-Workload-Identity-Federation.pdf](./Presentations/day77-Connect-to-Microsoft-APIs-in-Azure-DevOps-Pipelines-using-Workload-Identity-Federation.pdf) |
| 9 | +- This markdown file and a summary below, and a blog post where I have more details. |
| 10 | + |
| 11 | +## What is Workload Identity Federation? |
| 12 | + |
| 13 | +Workload Identity Federation allows you to access Microsoft Entra protected resources without needing to manage secrets. It is based on Open ID Connect, and supports specific scenarios like federation with GitHub and Azure DevOps, as well as a range of other documented scenarios. |
| 14 | + |
| 15 | +The way that this works, is that you use workload identity federation to configure a user-assigned managed identity or app registration in Microsoft Entra ID to trust tokens from an external identity provider (IdP). |
| 16 | + |
| 17 | +[Read more about Workload Identity Federation at Microsoft Learn](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation?WT.mc_id=linkedin&sharingId=EM-MVP-5001872) |
| 18 | + |
| 19 | +## What are Service Connections? |
| 20 | + |
| 21 | +Service Connections in Azure DevOps can be used to connect to resources in pipelines, and by using an Azure Resource Manager connection with Workload Identity Federation, we can basically connect to any Entra ID protected API and resource. |
| 22 | + |
| 23 | +[Read more about Service Connections using Azure Resource Manager with Workload Identity Federation](https://learn.microsoft.com/nb-no/azure/devops/pipelines/library/connect-to-azure?view=azure-devops&WT.mc_id=linkedin&sharingId=EM-MVP-5001872) |
| 24 | + |
| 25 | +## About Microsoft APIs protected by Entra ID |
| 26 | + |
| 27 | +Microsoft have several well-known APIs that support OIDC (OpenID Connect) and OAuth2 for Authentication and Authorization, like Azure Resource Manager Rest API, Microsoft Graph API, KeyVault API to name a few. |
| 28 | + |
| 29 | +In addition you can create, expose and protect your own APIs via App Registrations, so there are a lot of usage scenarios. |
| 30 | + |
| 31 | +All this Microsoft APIs can be accessed securely and without secrets using Workload Identity Federation and Service Connections in Azure DevOps. |
| 32 | + |
| 33 | +## Blog post |
| 34 | + |
| 35 | +Here is a previous blog post I published that show the details on how to set this up: |
| 36 | + |
| 37 | +https://gotoguy.blog/2023/09/15/connect-to-microsoft-graph-in-azure-devops-pipelines-using-workload-identity-federation/ |
| 38 | + |
| 39 | +## About me |
| 40 | + |
| 41 | +I'm Jan Vidar Elven, and work as a Senior Architect in Evidi AS in Norway, I'm a Microsoft Security MVP, and specialize in Microsoft Entra, IAM (Identity Access Management), IGA (Identity Governance & Administration), Security, Cloud Platform solutions using Microsoft Azure, and DevOps. |
| 42 | + |
| 43 | +Connect with me at: |
| 44 | + |
| 45 | +- [LinkedIn](https://linkedin.com/in/janvidarelven) |
| 46 | +- [X](https://x.com/JanVidarElven) |
| 47 | +- [GitHub](https://github.com/janvidarelven) |
0 commit comments