-
Notifications
You must be signed in to change notification settings - Fork 234
Federated Identity Credential (FIC) with a Managed Service Identity (MSI)
Federated Identity Credentials provide a way to avoid managing secrets or certificates. In this case, you will rely on Managed Identity to issue a credential. Managed Identity abstracts away certificates from app developers.
Note
Managed Identity can issue tokens directly for your downstream APIs. However, using Managed Identity directly is limited to service principals (i.e. no user tokens) and it is single tenanted! To bypass these limitations, you can use Managed Identity to issue a federated credential. Otherwise, use Managed Identity directly!
This guide assumes you have setup a Federated Identity Credential with Managed Identity, as per the Entra docs
Note
It is strongly recommended to use only User Assigned Managed Identity for issuing credentials.
You then configure your credential in your appsettings.json file. Here’s a sample configuration:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"TenantId": "your-tenant-id",
"ClientId": "your-client-id",
"ClientCredentials": [
{
"SourceType": "SignedAssertionFromManagedIdentity",
"ManagedIdentityClientId": "your-user-assigned-managed-identity-client-id"
"TokenExchangeUrl": "api://AzureADTokenExchange" // optional, it defaults api://AzureADTokenExchange, change for other clouds
}
]
}
}- Home
- Why use Microsoft Identity Web?
- Web apps
- Web APIs
- Minimal support for .NET FW Classic
- Logging
- Azure AD B2C limitations
- Samples
- Certificates
- Managed Identity as Federated Credential
- Federated Credentials from other Identity Provider
- Extensibility: Bring your own credential
- Web apps
- Web app samples
- Web app template
- Call an API from a web app
- Managing incremental consent and conditional access
- Web app troubleshooting
- Deploy to App Services Linux containers or with proxies
- SameSite cookies
- Hybrid SPA
- Web APIs
- Web API samples
- Web API template
- Call an API from a web API
- Token Decryption
- Web API troubleshooting
- web API protected by ACLs instead of app roles
- gRPC apps
- Azure Functions
- Long running processes in web APIs
- Authorization policies
- Generic API
- Customization
- Logging
- Calling graph with specific scopes/tenant
- Multiple Authentication Schemes
- Utility classes
- Setting FIC+MSI
- Mixing web app and web API
- Deploying to Azure App Services
- Azure AD B2C issuer claim support
- Performance
- specify Microsoft Graph scopes and app-permissions
- Integrate with Azure App Services authentication
- Ajax calls and incremental consent and conditional access
- Back channel proxys
- Client capabilities