Service Principals & Workload Identities Service Principals & Workload Identities

Referenz zu Service Principals, Managed Identities und Workload Identity Federation in Entra ID und Azure. Reference for service principals, managed identities, and workload identity federation in Entra ID and Azure.

Instanzen Instances

Service Principals sind die laufenden Sicherheitsprinzipale für Apps und Workloads in einem Tenant. Service principals are the runtime security principals for apps and workloads in a tenant.

Managed Identities Managed identities

Azure stellt Identitäten für Dienste bereit, sodass keine lokal gespeicherten Secrets nötig sind. Azure provides identities for services so no local secrets are required.

Federation Federation

Workload Identity Federation ersetzt Geheimnisse durch kurzlebige Token von GitHub, Kubernetes oder anderen OIDC-Issuern. Workload identity federation replaces secrets with short-lived tokens from GitHub, Kubernetes, or other OIDC issuers.

Berechtigungen Permissions

Rollen können auf Azure-Ressourcen, Microsoft Graph und eigene APIs getrennt vergeben werden. Permissions can be granted separately for Azure resources, Microsoft Graph, and custom APIs.

Service Principal Typen Service principal types

Ein Service Principal repräsentiert eine Anwendung oder einen Workload innerhalb eines Tenants. Er besitzt Anmeldeinformationen, Rollen und eine Sicherheitsidentität für Tokens und Richtlinien. A service principal represents an application or workload inside a tenant. It owns credentials, roles, and a security identity for tokens and policies.

Typ Type	Beschreibung Description	Typische Nutzung Typical use
Application Application	Instanz einer App-Registrierung oder Gallery-App Instance of an app registration or gallery app	SaaS, Daemons, Automatisierung SaaS, daemons, automation
Managed Identity Managed identity	Azure-verwaltete Identität für einen Dienst Azure-managed identity for a service	App Service, VM, Functions, Container Apps App Service, VM, Functions, Container Apps
Legacy Legacy	Klassischer Service Principal mit Secret oder Zertifikat außerhalb von Managed Identity/Federation Classic service principal with secret or certificate outside managed identity/federation	Alte Skripte, On-Prem-Agenten, externe Scheduler Older scripts, on-prem agents, external schedulers

Managed Identities Managed identities

Managed Identities delegieren die Verwaltung von Credentials an Azure. Eine system-assigned identity ist an genau eine Ressource gebunden, während eine user-assigned identity separat erstellt und mehreren Ressourcen zugewiesen werden kann. Managed identities delegate credential management to Azure. A system-assigned identity is bound to exactly one resource, whereas a user-assigned identity is created separately and can be attached to multiple resources.

Variante Variant	Eigenschaften Characteristics	Wann sinnvoll When to use
System-assigned System-assigned	Lebenszyklus gekoppelt an Ressource Lifecycle tied to the resource	Einzelne App oder VM Single app or VM
User-assigned User-assigned	Eigenständige Azure-Ressource, wiederverwendbar Standalone Azure resource, reusable	Mehrere Apps mit gemeinsamer Identität Multiple apps with a shared identity

Dienst Service	Unterstützung Support	Hinweis Note
Virtual Machines Virtual Machines	System + User System + User	Klassischer Host für Skripte oder Agents Classic host for scripts or agents
VM Scale Sets VM Scale Sets	System + User System + User	Skalierte Compute-Workloads Scaled compute workloads
App Service App Service	System + User System + User	Web Apps und API-Backends Web apps and API backends
Azure Functions Azure Functions	System + User System + User	Serverless Trigger und Jobs Serverless triggers and jobs
Logic Apps Standard Logic Apps Standard	System + User System + User	Connector-Aufrufe ohne Secrets Connector calls without secrets
Container Apps Container Apps	System + User System + User	Containerisierte APIs und Workers Containerized APIs and workers
Container Instances Container Instances	System + User System + User	Kurzlebige Batch-Container Short-lived batch containers
Automation Account Automation Account	System System	Runbooks mit Azure-Zugriff Runbooks with Azure access
API Management API Management	System + User System + User	Backend-Zugriffe und Key Vault Backend access and Key Vault
Data Factory Data Factory	System + User System + User	Pipelines und Linked Services Pipelines and linked services
Synapse Workspace Synapse Workspace	System + User System + User	Pipelines, Spark, Integration Pipelines, Spark, integration
Service Fabric Service Fabric	System System	Cluster-basierte Apps Cluster-based apps
Azure Batch Azure Batch	User User	Batch-Pools mit wiederverwendbarer Identität Batch pools with reusable identity
Spring Apps Spring Apps	System + User System + User	Java-Anwendungen Java applications
Arc-enabled Servers Arc-enabled Servers	System System	Hybrid-Server mit Azure-Steuerung Hybrid servers under Azure control
Machine Learning Machine Learning	System + User System + User	Trainings- und Inferenz-Workloads Training and inference workloads

PowerShell PowerShell

            
                # User-assigned managed identity anlegen
                $mi = New-AzUserAssignedIdentity `
                  -Name "uami-contoso-deploy" `
                  -ResourceGroupName "rg-identity" `
                  -Location "westeurope"
                
                # App Service mit der Identity verbinden
                Set-AzWebApp `
                  -Name "contoso-api-prod" `
                  -ResourceGroupName "rg-apps" `
                  -AssignIdentity $true `
                  -UserAssignedIdentityId $mi.Id

Workload Identity Federation Workload identity federation

Workload Identity Federation ersetzt gespeicherte Secrets durch Vertrauensstellungen auf OIDC-Token. Besonders wertvoll ist das für GitHub Actions, Kubernetes und andere CI/CD-Systeme, die kurzlebige Identitätsnachweise ausstellen können. Workload identity federation replaces stored secrets with trust relationships based on OIDC tokens. It is especially valuable for GitHub Actions, Kubernetes, and other CI/CD systems that can issue short-lived identity assertions.

Szenario Scenario	Issuer Issuer	Subjekt Subject	Typischer Nutzen Typical benefit
GitHub Actions GitHub Actions	https://token.actions.githubusercontent.com https://token.actions.githubusercontent.com	repo:org/repo:ref:refs/heads/main repo:org/repo:ref:refs/heads/main	Secret-freie Deployments Secret-free deployments
Kubernetes Kubernetes	Cluster-OIDC-Issuer Cluster OIDC issuer	system:serviceaccount:ns:sa system:serviceaccount:ns:sa	Pods greifen auf Azure zu Pods access Azure
Azure DevOps / andere OIDC-Provider Azure DevOps / other OIDC providers	Plattformspezifisch Platform-specific	Pipeline-spezifisch Pipeline-specific	Kurzlebige Tokens statt Secrets Short-lived tokens instead of secrets
Externe IdP External IdP	Beliebiger vertrauenswürdiger OIDC-Issuer Any trusted OIDC issuer	Anwendungsspezifisch Application-specific	B2B- oder Integrationsszenarien B2B or integration scenarios

Federation Credential Konfiguration Federation credential configuration

Feld Field	Bedeutung Meaning	Beispiel Example
name name	Eindeutiger Anzeigename Unique display name	github-main github-main
issuer issuer	OIDC-Issuer OIDC issuer	https://token.actions.githubusercontent.com https://token.actions.githubusercontent.com
subject subject	Claim, der exakt matchen muss Claim that must match exactly	repo:contoso/api:ref:refs/heads/main repo:contoso/api:ref:refs/heads/main
audiences audiences	Erlaubte Audience-Liste Allowed audience list	api://AzureADTokenExchange api://AzureADTokenExchange
description description	Betriebskommentar Operational comment	Deploy from protected branch Deploy from protected branch

PowerShell PowerShell

            
                $app = Get-MgApplication -Filter "displayName eq 'contoso-deploy'"
                
                $body = @{
                  name = "github-main"
                  issuer = "https://token.actions.githubusercontent.com"
                  subject = "repo:contoso/api:ref:refs/heads/main"
                  audiences = @("api://AzureADTokenExchange")
                  description = "GitHub Actions deployment from main"
                } | ConvertTo-Json
                
                Invoke-MgGraphRequest -Method POST `
                  -Uri "https://graph.microsoft.com/beta/applications/$($app.Id)/federatedIdentityCredentials" `
                  -Body $body `
                  -ContentType "application/json"

Berechtigungen für Managed Identities Assign permissions to managed identities

Für Azure-Ressourcen nutzt du Azure RBAC, etwa Reader, Key Vault Secrets User oder Storage Blob Data Contributor. Für Microsoft Graph oder eigene APIs arbeitest du mit App Roles auf dem Service Principal der Managed Identity. For Azure resources, use Azure RBAC roles such as Reader, Key Vault Secrets User, or Storage Blob Data Contributor. For Microsoft Graph or custom APIs, work with app roles on the managed identity's service principal.

Control Plane: Rollen auf Subscription, Resource Group oder Resource Level. Control plane: roles on subscription, resource group, or resource level.
Data Plane: z. B. Blob Data Reader oder Key Vault Secrets User. Data plane: e.g. Blob Data Reader or Key Vault Secrets User.
Graph/API: App Role Assignment gegen den Resource Service Principal. Graph/API: app role assignment against the resource service principal.

PowerShell PowerShell

            
                # Azure RBAC
                New-AzRoleAssignment `
                  -ObjectId $mi.PrincipalId `
                  -RoleDefinitionName "Key Vault Secrets User" `
                  -Scope "/subscriptions/<subId>/resourceGroups/rg-sec/providers/Microsoft.KeyVault/vaults/kv-prod"
                
                # Graph App Role Assignment (Beispiel)
                $graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
                $role = $graphSp.AppRoles | Where-Object Value -eq "User.Read.All"
                $miSp = Get-MgServicePrincipal -Filter "displayName eq 'uami-contoso-deploy'"
                
                New-MgServicePrincipalAppRoleAssignment `
                  -ServicePrincipalId $miSp.Id `
                  -PrincipalId $miSp.Id `
                  -ResourceId $graphSp.Id `
                  -AppRoleId $role.Id

SP Credential Management SP credential management

Wo Managed Identity oder Federation nicht möglich sind, verwalte Secrets und Zertifikate strikt nach Laufzeit, Scope und Besitzer. Inventarisierung, Ablaufmonitoring und Rotation sind Pflicht. Where managed identity or federation is not possible, manage secrets and certificates strictly by lifetime, scope, and owner. Inventory, expiry monitoring, and rotation are mandatory.

Kontrolle Control	Empfehlung Recommendation	Warum Why
Ablauf Expiry	Maximal 6-12 Monate, besser kürzer 6-12 months maximum, shorter is better	Reduziert Missbrauchsfenster Reduces abuse window
Speicherort Storage	Nur in Secret Store Only in secret store	Verhindert Leaks in Code oder Logs Prevents leaks in code or logs
Besitz Ownership	Fachlich und technisch dokumentieren Document business and technical ownership	Schnelleres Incident Handling Faster incident handling
Rotation Rotation	Überlappend und getestet Overlapping and tested	Vermeidet Ausfälle Avoids outages

PowerShell + Graph PowerShell + Graph

PowerShell PowerShell

            
                # Service Principals inventarisieren
                Get-MgServicePrincipal -All |
                  Select-Object DisplayName, Id, AppId, ServicePrincipalType, AccountEnabled
                
                # Federated Credentials lesen
                Invoke-MgGraphRequest -Method GET `
                  -Uri "https://graph.microsoft.com/beta/applications/$($app.Id)/federatedIdentityCredentials"
                
                # Nicht mehr benötigtes Secret entfernen
                Remove-MgApplicationPassword `
                  -ApplicationId $app.Id `
                  -KeyId "<key-guid>"

Workload Identity Federation KomplettreferenzComplete workload identity federation reference

Workload Identity Federation ersetzt langlebige Secrets durch vertrauensbasierte OIDC- oder Tokenaustauschbeziehungen. Besonders wertvoll ist das für GitHub Actions, Kubernetes, Google Cloud, AWS und generische OIDC-Issuer.Workload identity federation replaces long-lived secrets with trust-based OIDC or token exchange relationships. It is especially valuable for GitHub Actions, Kubernetes, Google Cloud, AWS, and generic OIDC issuers.

ProviderProvider	IssuerIssuer	Subjekt / SubjectSubject	HinweisNote
GitHub ActionsGitHub Actions	https://token.actions.githubusercontent.comhttps://token.actions.githubusercontent.com	repo:{owner}/{repo}:ref:refs/heads/main oder environment:{name}repo:{owner}/{repo}:ref:refs/heads/main or environment:{name}	Audience meist api://AzureADTokenExchange.Audience is usually api://AzureADTokenExchange.
AKS Workload IdentityAKS Workload Identity	AKS OIDC Issuer URLAKS OIDC issuer URL	system:serviceaccount:{namespace}:{serviceaccount}system:serviceaccount:{namespace}:{serviceaccount}	AZURE_FEDERATED_TOKEN_FILE wird vom Pod genutzt.AZURE_FEDERATED_TOKEN_FILE is consumed by the pod.
Externes KubernetesExternal Kubernetes	Cluster-eigener OIDC IssuerCluster-owned OIDC issuer	system:serviceaccount:{namespace}:{serviceaccount}system:serviceaccount:{namespace}:{serviceaccount}	Issuer muss öffentlich oder vertrauenswürdig erreichbar sein.Issuer must be publicly or otherwise trustably reachable.
Google CloudGoogle Cloud	https://accounts.google.com oder Workload Identity Pool Issuerhttps://accounts.google.com or workload identity pool issuer	service account subject bzw. mapped principalservice account subject or mapped principal	Anspruchsabbildung exakt planen.Plan claim mapping carefully.
AWSAWS	sts.amazonaws.com / IAM OIDC Providersts.amazonaws.com / IAM OIDC Provider	rollen- oder providerabhängigrole or provider dependent	Trust Policy in AWS und federated credential in Entra müssen zusammenpassen.AWS trust policy and the Entra federated credential must align.
Generisches OIDCGeneric OIDC	Beliebiger kompatibler IssuerAny compatible issuer	frei wählbares Subjectfreely selected subject	aud, iss und sub sehr restriktiv definieren.Define aud, iss, and sub very restrictively.

GitHub Subject Claim FormateGitHub subject claim formats

MusterPattern	BedeutungMeaning	EinsatzUse
repo:contoso/api:ref:refs/heads/mainrepo:contoso/api:ref:refs/heads/main	Nur Branch mainMain branch only	Sicher für produktive DeploymentsSafe for production deployments
repo:contoso/api:ref:refs/tags/vrepo:contoso/api:ref:refs/tags/v	Release TagsRelease tags	Release-basierte FreigabenRelease-based releases
repo:contoso/api:pull_requestrepo:contoso/api:pull_request	Pull RequestsPull requests	Nur für nicht privilegierte TestsOnly for low-privilege tests
repo:contoso/api:environment:prodrepo:contoso/api:environment:prod	GitHub Environment prodGitHub environment prod	Empfohlen für manuell geschützte DeploymentsRecommended for manually protected deployments

Kubernetes, AKS und externe ClusterKubernetes, AKS, and external clusters

AKS mit Workload Identity verwendet einen OIDC Issuer pro Cluster und projected service account tokens pro Pod.AKS with workload identity uses an OIDC issuer per cluster and projected service account tokens per pod.
Der Container erhält den Pfad über AZURE_FEDERATED_TOKEN_FILE und die Ziel-Client-ID über AZURE_CLIENT_ID.The container receives the token path through AZURE_FEDERATED_TOKEN_FILE and the target client ID through AZURE_CLIENT_ID.
Für externe Cluster gelten dieselben Claims; entscheidend ist, dass iss, aud und sub exakt mit der federatedIdentityCredential in Entra übereinstimmen.External clusters follow the same claim rules; the key is that iss, aud, and sub exactly match the federatedIdentityCredential in Entra.

GitHub Actions WorkflowGitHub Actions workflow

name: deploy-with-federation

on:
  push:
    branches:
      - main
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: prod
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Azure login via OIDC
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Show caller
        run: az account show

      - name: Deploy Bicep
        run: |
          az deployment group create \
            --resource-group rg-prod-contoso \
            --template-file infra/main.bicep \
            --parameters environment=prod

      - name: Read Graph token audience
        run: az account get-access-token --resource-type ms-graph

      - name: Logout
        run: az logout

AKS Workload Identity SetupAKS workload identity setup

az aks update \
  --name aks-prod \
  --resource-group rg-aks \
  --enable-oidc-issuer \
  --enable-workload-identity

az identity create \
  --name id-orders-api \
  --resource-group rg-aks

az identity federated-credential create \
  --name fic-orders-api \
  --identity-name id-orders-api \
  --resource-group rg-aks \
  --issuer $(az aks show -g rg-aks -n aks-prod --query oidcIssuerProfile.issuerUrl -o tsv) \
  --subject system:serviceaccount:orders:orders-api \
  --audience api://AzureADTokenExchange

kubectl create namespace orders
kubectl create serviceaccount orders-api -n orders
kubectl annotate serviceaccount orders-api -n orders azure.workload.identity/client-id=<managed-identity-client-id>
kubectl label serviceaccount orders-api -n orders azure.workload.identity/use=true

AWS Trust Policy JSONAWS trust policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
          "token.actions.githubusercontent.com:sub": "repo:contoso/api:ref:refs/heads/main"
        }
      }
    }
  ]
}

MinimalprinzipLeast privilege

Vertrauen Sie nicht nur dem Issuer. Grenzen Sie immer auch subject, audience und möglichst den konkreten Branch, das GitHub Environment oder das Service Account Subject ein.Do not trust only the issuer. Always constrain subject, audience, and ideally the exact branch, GitHub environment, or service account subject as well.

Managed Identity Unterstützung nach DienstManaged identity support by service

Die folgende Übersicht fasst häufig genutzte Azure-Dienste zusammen. Die Angaben beziehen sich auf die übliche Ressourcenkonfiguration; einzelne Unterressourcen oder Alt-SKUs können abweichen.The following overview summarizes commonly used Azure services. The values reflect the usual resource configuration; individual sub-resources or older SKUs can differ.

DienstService	System-assignedSystem-assigned	User-assignedUser-assigned
Virtual MachinesVirtual Machines	JaYes	JaYes
Virtual Machine Scale SetsVirtual Machine Scale Sets	JaYes	JaYes
Azure Kubernetes ServiceAzure Kubernetes Service	JaYes	JaYes
App Service Web AppApp Service Web App	JaYes	JaYes
App Service Deployment SlotApp Service Deployment Slot	JaYes	JaYes
Azure FunctionsAzure Functions	JaYes	JaYes
Logic Apps StandardLogic Apps Standard	JaYes	JaYes
Logic Apps ConsumptionLogic Apps Consumption	JaYes	JaYes
Container AppsContainer Apps	JaYes	JaYes
Container Apps JobsContainer Apps Jobs	JaYes	JaYes
Container InstancesContainer Instances	JaYes	JaYes
API ManagementAPI Management	JaYes	JaYes
Automation AccountAutomation Account	JaYes	JaYes
Azure Data FactoryAzure Data Factory	JaYes	JaYes
Synapse WorkspaceSynapse Workspace	JaYes	JaYes
Storage AccountStorage Account	JaYes	JaYes
Key VaultKey Vault	JaYes	JaYes
Recovery Services VaultRecovery Services Vault	JaYes	JaYes
Event Hubs NamespaceEvent Hubs Namespace	JaYes	JaYes
Service Bus NamespaceService Bus Namespace	JaYes	JaYes
Azure SQL Managed InstanceAzure SQL Managed Instance	JaYes	JaYes
Azure SQL ServerAzure SQL Server	JaYes	JaYes
Azure SQL DatabaseAzure SQL Database	JaYes	NeinNo
Azure Database for PostgreSQL Flexible ServerAzure Database for PostgreSQL Flexible Server	JaYes	JaYes
Azure Database for MySQL Flexible ServerAzure Database for MySQL Flexible Server	JaYes	JaYes
Azure Cosmos DBAzure Cosmos DB	JaYes	JaYes
Azure Cache for RedisAzure Cache for Redis	JaYes	JaYes
Azure AI SearchAzure AI Search	JaYes	JaYes
Azure AI Services / Cognitive ServicesAzure AI Services / Cognitive Services	JaYes	JaYes
Azure Container RegistryAzure Container Registry	JaYes	JaYes
Azure Machine Learning WorkspaceAzure Machine Learning Workspace	JaYes	JaYes
Azure Machine Learning Compute ClusterAzure Machine Learning Compute Cluster	JaYes	JaYes
Azure Databricks Access ConnectorAzure Databricks Access Connector	JaYes	JaYes
Azure Maps AccountAzure Maps Account	JaYes	JaYes
Azure SignalR ServiceAzure SignalR Service	JaYes	JaYes
Azure Web PubSubAzure Web PubSub	JaYes	JaYes
Azure IoT HubAzure IoT Hub	JaYes	JaYes
Azure Digital TwinsAzure Digital Twins	JaYes	JaYes
Azure Spring AppsAzure Spring Apps	JaYes	JaYes
Azure Batch AccountAzure Batch Account	JaYes	JaYes
Azure Communication ServicesAzure Communication Services	JaYes	JaYes
Azure Video IndexerAzure Video Indexer	JaYes	JaYes
Azure Media ServicesAzure Media Services	JaYes	JaYes
Azure Automation Hybrid WorkerAzure Automation Hybrid Worker	NeinNo	JaYes
Azure Arc-enabled ServersAzure Arc-enabled Servers	JaYes	JaYes
Azure Arc-enabled KubernetesAzure Arc-enabled Kubernetes	JaYes	JaYes
Azure Managed GrafanaAzure Managed Grafana	JaYes	JaYes
Microsoft Fabric CapacityMicrosoft Fabric Capacity	JaYes	JaYes
Azure NetApp FilesAzure NetApp Files	JaYes	JaYes
Azure Chaos StudioAzure Chaos Studio	JaYes	JaYes
Azure Load TestingAzure Load Testing	JaYes	JaYes
Azure Stream Analytics JobAzure Stream Analytics Job	JaYes	JaYes
Azure Spring Apps Build ServiceAzure Spring Apps Build Service	JaYes	JaYes
Azure App ConfigurationAzure App Configuration	JaYes	JaYes
Azure Dev Center ProjectAzure Dev Center Project	JaYes	JaYes
Azure Lab ServicesAzure Lab Services	JaYes	JaYes
Azure Automation Update ManagementAzure Automation Update Management	NeinNo	JaYes
Azure VMware Solution Private CloudAzure VMware Solution Private Cloud	JaYes	NeinNo
Azure Service Fabric Managed ClusterAzure Service Fabric Managed Cluster	JaYes	JaYes
Azure Monitor WorkspaceAzure Monitor Workspace	JaYes	JaYes