|
| 1 | +--- |
| 2 | +title: Block workload identity federation using Azure Policy |
| 3 | +description: Learn how to use a built-in Azure Policy to block workload identity federation on user-assigned managed identities. Govern the use of federated identity credentials on managed identities so that no one can access Azure Active Directory protected resources from external workloads. |
| 4 | +services: active-directory |
| 5 | +author: rwike77 |
| 6 | +manager: CelesteDG |
| 7 | + |
| 8 | +ms.service: active-directory |
| 9 | +ms.subservice: develop |
| 10 | +ms.topic: how-to |
| 11 | +ms.workload: identity |
| 12 | +ms.date: 12/12/2022 |
| 13 | +ms.author: ryanwi |
| 14 | +ms.custom: aaddev |
| 15 | +ms.reviewer: cbrooks, udayh, vakarand |
| 16 | + |
| 17 | +#Customer intent: As an application developer or administrator, I want to block the creation of a federated credential on a managed identity so I can block everyone from using workload identity federation. |
| 18 | +--- |
| 19 | + |
| 20 | +# Block workload identity federation on managed identities using a policy |
| 21 | + |
| 22 | +This article describes how to block the creation of federated identity credentials on user-assigned managed identities by using Azure Policy. By blocking the creation of federated identity credentials, you can block everyone from using [workload identity federation](workload-identity-federation.md) to access Azure AD protected resources. [Azure Policy](/azure/governance/policy/overview) helps enforce certain business rules on your Azure resources and assess compliance of those resources. |
| 23 | + |
| 24 | +The Not allowed resource types built-in policy can be used to block the creation of federated identity credentials on user-assigned managed identities. |
| 25 | + |
| 26 | +## Create a policy assignment |
| 27 | + |
| 28 | +To create a policy assignment for the Not allowed resource types that blocks the creation of federated identity credentials in a subscription or resource group: |
| 29 | + |
| 30 | +1. Sign in to the [Azure portal](https://portal.azure.com). |
| 31 | +1. Navigate to **Policy** in the Azure portal. |
| 32 | +1. Go to the **Definitions** pane. |
| 33 | +1. In the **Search** box, search for "Not allowed resource types" and select the *Not allowed resource types* policy in the list of returned items. |
| 34 | + :::image type="content" source="media/workload-identity-federation-block-using-azure-policy/azure-policy-search.png" alt-text="Screenshot showing search results in the Azure Policy Definitions pane." border="false"::: |
| 35 | +1. After selecting the policy, you can now see the **Definition** tab. |
| 36 | +1. Click the **Assign** button to create an Assignment. |
| 37 | + :::image type="content" source="media/workload-identity-federation-block-using-azure-policy/azure-policy-assign.png" alt-text="Screenshot showing Policy Definition pane." border="false"::: |
| 38 | +1. In the **Basics** tab, fill out **Scope** by setting the **Subscription** and optionally set the **Resource Group**. |
| 39 | +1. In the **Parameters** tab, select **userAssignedIdentities/federatedIdentityCredentials** from the **Not allowed resource types** list. Select **Review and create**. |
| 40 | + :::image type="content" source="media/workload-identity-federation-block-using-azure-policy/azure-policy-assign-parameters.png" alt-text="Screenshot showing Parameters tab." border="false"::: |
| 41 | +1. Apply the Assignment by selecting **Create**. |
| 42 | +1. View your assignment in the **Assignments** tab next to **Definition**. |
| 43 | + |
| 44 | +## Next steps |
| 45 | + |
| 46 | +Learn how to [manage a federated identity credential on a user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) in Azure Active Directory (Azure AD). |
0 commit comments