When using a [[Service Principal]] for an Azure DevOps [[Service Connection]], authentication is handled through a secret or certificate. These credentials have expiration dates and require manual upkeep. Alternatively, you can use [[Workload Identity Federation]] for authentication. This method leverages OpenID Connect to authenticate with Azure resources without relying on secrets. By configuring Entra ID to trust tokens from an external identity provider like Azure DevOps or GitHub, the external service can exchange these trusted tokens for access tokens from Entra ID. These short-lived access tokens then grant access to the Azure resources assigned to the external workload.