Skip to content

Commit 101c38e

Browse files
authored
Merge pull request #221073 from rwike77/blockfic
initial draft
2 parents fff546a + bb83b21 commit 101c38e

File tree

5 files changed

+48
-0
lines changed

5 files changed

+48
-0
lines changed

articles/active-directory/develop/TOC.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,8 @@
153153
href: workload-identity-federation-create-trust-user-assigned-managed-identity.md
154154
- name: Access identity platform-protected resources from GCP
155155
href: workload-identity-federation-create-trust-gcp.md
156+
- name: Block creation of federated credentials
157+
href: workload-identity-federation-block-using-azure-policy.md
156158
- name: Exchange AD FS SAML for Microsoft Graph access token
157159
displayName: exchange, swap, SAML token, OAuth token
158160
href: v2-saml-bearer-assertion.md
Loading
Loading
Loading
Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
---
2+
title: Block workload identity federation using Azure Policy
3+
description: Learn how to use a built-in Azure Policy to block workload identity federation on user-assigned managed identities. Govern the use of federated identity credentials on managed identities so that no one can access Azure Active Directory protected resources from external workloads.
4+
services: active-directory
5+
author: rwike77
6+
manager: CelesteDG
7+
8+
ms.service: active-directory
9+
ms.subservice: develop
10+
ms.topic: how-to
11+
ms.workload: identity
12+
ms.date: 12/12/2022
13+
ms.author: ryanwi
14+
ms.custom: aaddev
15+
ms.reviewer: cbrooks, udayh, vakarand
16+
17+
#Customer intent: As an application developer or administrator, I want to block the creation of a federated credential on a managed identity so I can block everyone from using workload identity federation.
18+
---
19+
20+
# Block workload identity federation on managed identities using a policy
21+
22+
This article describes how to block the creation of federated identity credentials on user-assigned managed identities by using Azure Policy. By blocking the creation of federated identity credentials, you can block everyone from using [workload identity federation](workload-identity-federation.md) to access Azure AD protected resources. [Azure Policy](/azure/governance/policy/overview) helps enforce certain business rules on your Azure resources and assess compliance of those resources.
23+
24+
The Not allowed resource types built-in policy can be used to block the creation of federated identity credentials on user-assigned managed identities.
25+
26+
## Create a policy assignment
27+
28+
To create a policy assignment for the Not allowed resource types that blocks the creation of federated identity credentials in a subscription or resource group:
29+
30+
1. Sign in to the [Azure portal](https://portal.azure.com).
31+
1. Navigate to **Policy** in the Azure portal.
32+
1. Go to the **Definitions** pane.
33+
1. In the **Search** box, search for "Not allowed resource types" and select the *Not allowed resource types* policy in the list of returned items.
34+
:::image type="content" source="media/workload-identity-federation-block-using-azure-policy/azure-policy-search.png" alt-text="Screenshot showing search results in the Azure Policy Definitions pane." border="false":::
35+
1. After selecting the policy, you can now see the **Definition** tab.
36+
1. Click the **Assign** button to create an Assignment.
37+
:::image type="content" source="media/workload-identity-federation-block-using-azure-policy/azure-policy-assign.png" alt-text="Screenshot showing Policy Definition pane." border="false":::
38+
1. In the **Basics** tab, fill out **Scope** by setting the **Subscription** and optionally set the **Resource Group**.
39+
1. In the **Parameters** tab, select **userAssignedIdentities/federatedIdentityCredentials** from the **Not allowed resource types** list. Select **Review and create**.
40+
:::image type="content" source="media/workload-identity-federation-block-using-azure-policy/azure-policy-assign-parameters.png" alt-text="Screenshot showing Parameters tab." border="false":::
41+
1. Apply the Assignment by selecting **Create**.
42+
1. View your assignment in the **Assignments** tab next to **Definition**.
43+
44+
## Next steps
45+
46+
Learn how to [manage a federated identity credential on a user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) in Azure Active Directory (Azure AD).

0 commit comments

Comments
 (0)