## The Problem Software workloads, like applications or services, need an identity to access resources and communicate with other services. When these workloads run on Azure, you can use managed identities, which Azure manages for you. However, managed identities only work for workloads running within Azure. For workloads running outside of Azure, you need to use application credentials (like a secret or certificate) to access Microsoft Entra protected resources (such as Azure, Microsoft Graph, Microsoft 365, or third-party resources). These credentials must be stored securely and rotated regularly to avoid security risks and potential service downtime if they expire. ## The Solution With Workload Identity Federation, you can configure a [[User Assigned Managed Identity]] or [[Application Registration]], which becomes the identity ## Resources - [Workload identity federation - Microsoft Entra Workload ID | Microsoft Learn](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation) - [Introduction to Azure DevOps Workload identity federation (OIDC) with Terraform - Azure DevOps Blog (microsoft.com)](https://devblogs.microsoft.com/devops/introduction-to-azure-devops-workload-identity-federation-oidc-with-terraform/)