Stephan van Rooij

Software architect with a passion for home automation.

Federated credentials, wait what?


Workflow identity federation of “federated credentials” as they are called in the Azure Portal are brand new in the Microsoft identity suite. As of writing they are still in preview.

What are they and how does it work? This will all be explained in the post below.

federated credentials on Azure portal

Why would you need federated credentials?

Managing secrets is hard, as I explained several times on this blog, like here. If you can get someone else to manage the credentials for you, you should go for that options and have the other party worry about the credentials.

What are these federated credentials?

Microsoft wrote a great description on Workload identity federation, but in my own words, it’s trusting some pre-configured (external) identity provider to request tokens for an application in Azure AD, while using the token from the external IDP instead of a client assertion. So instead of signing the token request with a certificate, you configure Azure AD to trust external tokens as if they where client assertions.

How do federated credentials actually work?

sequenceDiagram; participant c as Client application participant aad as Azure AD participant idp as External Identity Provider participant r as Resource protected by Azure AD c->>idp: Give me a token for reource x idp->>c: Access token for x note right of c: External token c->>aad: Give me a token for resource y aad-->>aad: Issuer configured? aad->>idp: Download IDP metadata (OpenID Connect) idp->>aad: External metadata aad->>aad: Validate signature aad->>aad: Subject and audience matching app registration? note right of c: Azure AD token aad->>c: Issue access token c->>r: Here is the access token from Azure AD

I like federated credentials

I really like the idea of federated credentials. This is a great example how important security management is. And using federated credentials allows you to secure stuff without knowing the secret. If you don’t have/manage a secret, it can never be extracted because there is nothing to extract.

Mind you that as of today (May 20th 2022), this is still in preview which means that you can try it out, but should not use it in any production workloads.

Proof of concept: Multi tenant managed identity


Ever since Microsoft created managed identities, people are asking how/if they work for multi-tenant applications. They even spend a faq on it.

In my previous post I wrote that it was possible to use a managed identity to get access tokens for some multi tenant application, if you haven’t seen that post be sure to check it out since this post uses the knowlage from that post to demo the process.

Hacking Primary refresh tokens, oops created a virus


Windows has some cleaver ways to handle SSO in combination with Azure AD. They use this so called Primary Refresh Token. These highly sensitive key materials, are usually stored in the systems TPM (trusted platform module), a hardware device that can protect keys. And are “unlocked” when the user logs in.

A post, by Lee Christensen and the accompanying RequestAADRefreshToken source, inspired me to check out what he had found.

Like what you're seeing? Consider Sharing on Twitter or Sponsoring me