Multi tenant managed identity is finally here
Microsoft just announced that you can now “officially” use managed identities in a multi-tenant scenario. This is a huge step forward security wise, if you’re in the business of building multi-tenant applications. Let me explain what this is, how it works and why it’s important.
I must say that I’m kind of ashamed that I totally missed this announcement, until I saw a post by Daniel Bradly on LinkedIn about this topic. So, thanks Daniel for bringing this to my attention!
Multi tenant managed identity by Daniel Bradly
What are we talking about?
Managed identities are a way to authenticate your application to Entra ID, without you having to manage any secrets (that is the whole point, Microsoft manages these identities). You have two flavors system-assigned and user-assigned, the first tied to a specific resource the later as an independent resource that can be connected to various resources (by the user).
Managed identities are always tied to the Entra ID tenant where the resource is created. This means that it cannot be used to access resources in other tenants. This is a problem if you’re building a multi-tenant application, where you have one application that serves multiple tenants.
Federated credentials
Federated credentials are a way to tell Entra ID, “Hey, if you see a token that is signed by this issuer, trust it for this application”. That allowed you to use a token from a third-party identity provider (like Github, Azure DevOps or some other IDP), to get tokens from Entra ID without the need of a secret that has to be renewed and could be stolen.
Want to know more about federated credentials? Check out this two year old post I wrote on the topic.
Use managed identities in a multi-tenant scenario
Back in June 2022, I wrote a post how you could use a managed identity for exactly this scenario. Back then there was a small issue with this solution, and that was that the docs explicitly stated that “using a token from any Entra ID tenant as a federated credential was not supported”. And a few months later, they actually blocked this scenario, because the docs said it was not supported.
Fast forward to 18th of December 2024 (when I first heard about it), Microsoft announced that you can now use managed identities in a multi-tenant scenario. What a great christmas present 🥳🍾!! I cannot tell you how happy I am to finally, after two years of it being blocked, again am able to use a managed identity as a federated credential.
Once officially released, you’ll probably have an extra tab next to federated credentials with a wizard to set all the required properties of the federated credential for you. My guess it that on the identity side they will just re-use the federated credential part, since all the parts seem to be there.
Why is this important?
I you’re in the business of building multi-tenant application, your biggest challenge is to keep your applications secrets, well, secret. Wether or not you’re using secrets (which you definitely should not) or use certificates, managing those and keeping them secure is a pain. We had applications breaking down because the certificate was not renewed in time, and we don’t want to think of the consequences if a secret/certificate was stolen. When you use a managed identity (which is managed by Microsoft) as a federated credential, you don’t have to worry about this anymore. There is no secret to steal, no certificate to renew, Microsoft takes care of that for you.
How does it work?
Well not much changed since my previous post, so I would say, go ahead and read this post and apart from what visual changes (like renaming Azure AD to Entra ID), you should be good to go.
Identity proxy flow
Series: Federated Credentials
- Federated credentials, wait what?
- Using a managed identity as a client credential
- Proof of concept: Multi tenant managed identity
- How do Federated credentials in GitHub Actions actually work
- Multi tenant managed identity is finally here
- Use multi tenant managed identity in Azure Automation
Conclusion
I’m super happy that Microsoft (re-)enabled using managed identities as federated credentials. The portal might be improved a bit, where you would have a wizard to set all the required properties of the federated credential for you, looking up the exact values is a bit annoying. But hey, I’m not complaining, I’m just happy that I can finally use managed identities in a multi-tenant scenario.
Want to know more, or have any questions? Connect with me on LinkedIn or BlueSky. If you’re in The Netherlands at January 25th 2025, I’ll be talking about this at BitBash, and I believe they still have some tickets available.
You should not only follow me on LinkedIn, but you should also follow Daniel Bradly, he posts some interesting stuff about Entra ID and security in general.