Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Managed Identity for the provider authentication #243

Open
eduardodfmex opened this issue Mar 26, 2024 · 3 comments · May be fixed by #545
Open

Managed Identity for the provider authentication #243

eduardodfmex opened this issue Mar 26, 2024 · 3 comments · May be fixed by #545
Assignees
Labels
enhancement New feature or request security
Milestone

Comments

@eduardodfmex
Copy link
Contributor

eduardodfmex commented Mar 26, 2024

Managed Identity auth for provider and pipelines

Managed identities (MI) provide an automatically managed identity in Microsoft Entra ID. Applications use managed identities to connect to resources that support Microsoft Entra authentication, and to obtain Microsoft Entra tokens, without credentials management.
Consider to use MI to authenticate and create resources with the Power Platform Terraform provide.

Posible Tasks
• Implement MI on the provider or investigate if works now.
• Investigate or implement the “Configure a user-assigned managed identity to trust an external identity provider”, After you configure your user-assigned managed identity to trust an external IdP, configure your external software workload to exchange a token from the external IdP for an access token from Microsoft identity platform. The external workload uses the access token to access Microsoft Entra protected resources without needing to manage secrets (in supported scenarios). To learn more about the token exchange workflow, read about workload identity federation.
• Evaluate MI considerations and restrictions; Create a trust relationship between a user-assigned managed identity and an external identity provider - Microsoft Entra Workload ID | Microsoft Learn
• See the feasibility to use MI on Github actions or Azure DevOps pipelines or create issues on the products backlog.

DOD
• Create Power Platform resources using MI on Dev environment (desktop Plan / apply on local host)
• Create and document process and QuickStart’s.
• Create and document a GitHub action that use MI to deploy resources.
• Create and document and Azure DevOps pipeline that use MI to deploy resources.

@eduardodfmex eduardodfmex added enhancement New feature or request security labels Mar 26, 2024
@mattdot mattdot changed the title Manage Identity for the provider Implement Managed Identity for the provider authentication Mar 26, 2024
@mattdot
Copy link
Member

mattdot commented Mar 26, 2024

This is a good feature to have. Need to investigate if PP APIs can accept MI credentials for authentication and how to grant Power Platform access rights to MI identities.

@mattdot mattdot added this to the Preview 2 milestone Mar 26, 2024
@webstean
Copy link
Contributor

webstean commented Sep 8, 2024

@Lonache
Copy link

Lonache commented Nov 13, 2024

It would indeed be super useful to be able to configure a user-assigned managed identity to trust an external identity provider in Terraform, as per https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-create-trust-user-assigned-managed-identity?pivots=identity-wif-mi-methods-azp (this is only possible for applications right now). This is a matter for the azuread provider, correct?

@ianjensenisme ianjensenisme self-assigned this Nov 18, 2024
@mattdot mattdot changed the title Implement Managed Identity for the provider authentication Managed Identity for the provider authentication Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment