k8s Azure OIDC Federated Microsoft Entra Workload ID

Check for old Azure identities pre OIDC

az cli - check identity used by AKS cluster

az cli - new oidc and workload identity enabled for aks

view all AKS ServiceAccounts with workload identity annotations/labels

A - from AKS using kubectl

B - from Azure using cli

How to create Entra Identity

  1. Create ManagedIdentity (No password)

    az identity create --name myWorkloadId --resource-group myRg --location eastus
  2. assign role's

    az role assignment create --assignee <principalId> --role "Key Vault Secrets User" --scope <kv-resource-id>
  3. create the federated identity credential on the managed identity:

    az identity federated-credential create \
      --name "fed-cred-backend" \
      --identity-name myWorkloadId \
      --resource-group myRg \
      --issuer "<your-aks-oidc-issuer-url>" \
      --subject "system:serviceaccount:finance:backend-sa" \
      --audience "api://AzureADTokenExchange"
    • → This links the Kubernetes Service Account → AKS issuer → the managed identity's service principal.
    • Explain: --subjet - follows Kubernetes' standard format for identifying a ServiceAccount in a JWT token's sub (subject) claim.

      • system:serviceaccount: This is a fixed prefix used by Kubernetes for all ServiceAccount-based subjects

      • finance: This is the Kubernetes namespace where the ServiceAccount lives

      • backend-sa: This is the actual name of the Kubernetes ServiceAccount resource e.g.

        kubectl create serviceaccount backend-sa -n finance
      • for AKS + Workload ID it's always this system:serviceaccount:<namespace>:<sa-name> pattern.

  4. → create/annotate K8s SA → Pod starts using that ServiceAccount → mutating webhook injects env vars → pod requests token from Microsoft identity platform using federation flow → gets access token scoped as the service principal.


CategoryK8sKubernetes CategorySecurity

k8sAzureOIDCMicrosoftEntraWorkloadID (last edited 2026-02-16 02:58:25 by PieterSmit)