|
| 1 | +--- |
| 2 | +title: Block workload identity federation using Azure Policy |
| 3 | +description: |
| 4 | +services: active-directory |
| 5 | +author: rwike77 |
| 6 | +manager: CelesteDG |
| 7 | + |
| 8 | +ms.service: active-directory |
| 9 | +ms.subservice: develop |
| 10 | +ms.topic: how-to |
| 11 | +ms.workload: identity |
| 12 | +ms.date: 12/09/2022 |
| 13 | +ms.author: ryanwi |
| 14 | +ms.custom: aaddev |
| 15 | +ms.reviewer: cbrooks, udayh, vakarand |
| 16 | + |
| 17 | +#Customer intent: As an application developer or administrator, I want to block the creation of a federated credential on a managed identity so I can allow only trusted partners to use workload identity federation. |
| 18 | +--- |
| 19 | + |
| 20 | +# Configure an app to trust an external identity provider |
| 21 | + |
| 22 | +This article describes how to block the creation of federated identity credentials on managed identities by using Azure Policy. By blocking the creation of federated identity credentials, you can allow only trusted federation partners to use [workload identity federation](workload-identity-federation.md) to access Azure AD protected resources. [Azure Policy](/azure/governance/policy/overview) helps enforce certain business rules on your Azure resources and assess compliance of those resources. |
| 23 | + |
| 24 | +The Not allowed resource types built-in policy can be used to block the creation of federated identity credentials on user-assigned managed identities. |
| 25 | + |
| 26 | +## Create a policy assignment |
| 27 | + |
| 28 | +To create a policy assignment for the Not allowed resource types that blocks the creation of federated identity credentials in a subscription or resource group: |
| 29 | + |
| 30 | +1. Sign in to the [Azure portal](https://portal.azure.com). |
| 31 | +1. Navigate to **Policy** in the Azure portal. |
| 32 | +1. Go to the **Definitions** pane. |
| 33 | +1. In the **Search** box, search for "Not allowed resource types" and select the *Not allowed resource types* policy in the list of returned items. |
| 34 | + :::image type="content" source="media/workload-identity-federation-block-using-azure-policy/azure-policy-search.png" alt-text="Screenshot showing search results in the Azure Policy Definitions pane." border="false"::: |
| 35 | +1. After selecting the policy, you can now see the **Definition** tab. |
| 36 | +1. Click the **Assign** button to create an Assignment. |
| 37 | + :::image type="content" source="media/workload-identity-federation-block-using-azure-policy/azure-policy-assign.png" alt-text="Screenshot showing Policy Definition pane." border="false"::: |
| 38 | +1. In the **Basics** tab, fill out **Scope** by setting the **Subscription** and optionally set the **Resource Group**. |
| 39 | +1. In the **Parameters** tab, select **userAssignedIdentities/federatedIdentityCredentials** from the **Not allowed resource types** list. Select **Review and create**. |
| 40 | + :::image type="content" source="media/workload-identity-federation-block-using-azure-policy/azure-policy-assign-parameters.png" alt-text="Screenshot showing Parameters tab." border="false"::: |
| 41 | +1. Apply the Assignment by selecting **Create**. |
| 42 | +1. View your assignment in the **Assignments** tab next to **Definition**. |
| 43 | + |
| 44 | +## Next steps |
| 45 | + |
| 46 | +Learn how to [manage a federated identity credential on a user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) in Azure Active Directory (Azure AD). |
0 commit comments