Joel Verhagen
@joelverhagen.com
Software dev on NuGet team, Microsoft
GitHub: github.com/joelverhagen
blog: joelverhagen.com
GitHub: github.com/joelverhagen
blog: joelverhagen.com
OIDC integration in build/deploy pipelines and in Entra ID is such a game-changer in my mind. It simplifies so much secret management and gives you the "feeling" (analogous capabilities) of managed identities outside of Azure.
September 24, 2025 at 2:23 PM
OIDC integration in build/deploy pipelines and in Entra ID is such a game-changer in my mind. It simplifies so much secret management and gives you the "feeling" (analogous capabilities) of managed identities outside of Azure.
Azure DevOps WIF is the analogous idea in Azure DevOps land: devblogs.microsoft.com/devops/intro.... For a while, you traded an ADO minted token for Entra ID. Now you trade on Entra ID token (managed by ADO) for your service principal. But still, same idea as GHA.
September 24, 2025 at 2:21 PM
Azure DevOps WIF is the analogous idea in Azure DevOps land: devblogs.microsoft.com/devops/intro.... For a while, you traded an ADO minted token for Entra ID. Now you trade on Entra ID token (managed by ADO) for your service principal. But still, same idea as GHA.
This can be done with the federated credentials. docs.github.com/en/actions/h... and learn.microsoft.com/en-us/entra/.... It's very cool! The mental model is that you trade a GHA OIDC token for an Entra ID token. This is allowed by configuring your MI to accept a specific pattern of GitHub token.
Configuring OpenID Connect in Azure - GitHub Docs
Use OpenID Connect within your workflows to authenticate with Azure.
docs.github.com
September 24, 2025 at 2:18 PM
This can be done with the federated credentials. docs.github.com/en/actions/h... and learn.microsoft.com/en-us/entra/.... It's very cool! The mental model is that you trade a GHA OIDC token for an Entra ID token. This is allowed by configuring your MI to accept a specific pattern of GitHub token.
Thanks Mattias, that's encouraging!
My team did the hard work. I just happened to be on comms at the time and answering questions :)
I'm excited to see it GA soon.
Great combination of UX improvement (no more manual rotation of secrets) and a security win (not needing long-lived API keys).
My team did the hard work. I just happened to be on comms at the time and answering questions :)
I'm excited to see it GA soon.
Great combination of UX improvement (no more manual rotation of secrets) and a security win (not needing long-lived API keys).
September 13, 2025 at 1:57 AM
Thanks Mattias, that's encouraging!
My team did the hard work. I just happened to be on comms at the time and answering questions :)
I'm excited to see it GA soon.
Great combination of UX improvement (no more manual rotation of secrets) and a security win (not needing long-lived API keys).
My team did the hard work. I just happened to be on comms at the time and answering questions :)
I'm excited to see it GA soon.
Great combination of UX improvement (no more manual rotation of secrets) and a security win (not needing long-lived API keys).