AADSTS700226: Only MSI tokens may be used as Federated Identity Credentials for AAD issuer
Looking for guidance from Microsoft Entra ID experts. I am trying to test the following scenario:
- Get a token from one Azure Tenant (T1) using client credential flow, but for token exchange scope. I am able to get the access token, no issue.
- Get a token from another Azure Tenant (T2) using the token received from T1 in step (1). App is registered in T2 with Federated Credential. Federated credential is configured with issuer being T1 and subject being object id of app id from T1.
- Use Postman to get token from T1. It works.
- Use Postman to get token from T2. It fails.
- My end goal is to use Federated Credential issued by Ping Federate or another issuer, but for the concept testing I am using another Azure Tenant (T1).
Question: My workload is deployed in AWS (or elsewhere) and I can't use Managed Identity since it is sitting outside Azure. Would I be able to use non AAD issuer to get a token for token exchange and use it with federated credential in T2?
Get Token from T1 for token exchange: This works fine.
Get Token from T2 using token received from T1: This is where I am getting error: AADSTS700226: Only MSI tokens may be used as Federated Identity Credentials for AAD issuer.
Note: You cannot use a client credentials token from one Azure AD tenant (T1) as a federated identity in another tenant (T2) because Microsoft Entra ID only supports MSI tokens from AAD issuers.
- To achieve token exchange from an external workload (e.g., AWS), use a non-AAD OIDC-compliant issuer (e.g., Ping Federate or AWS STS) to issue the JWT and configure it as the federated credential issuer in T2.
Hence, use an external OIDC-compliant IdP like AWS Cognito.
Create a Cognito identity for our workload:
aws cognito-identity get-open-id-token-for-developer-identity \
--identity-pool-id <the pool id you just created> \
--logins <developer provider name>=<a_unique_string_identifying_your_workload>
--region <aws region>
Configure an Azure AD identity to trust the Amazon Cognito token:
az identity federated-credential create --name AccessFromAWS --identity-name workload-federate-MI1 \
--resource-group codesamples-rg --issuer https://cognito-identity.amazonaws.com \
--subject us-east-1:xxx --audience us-east-1:xxx
- Then get a Cognito token using AWS CLI.
- And login to Azure using that token.
For more in detail refer the below blog:
Azure AD workload identity federation with AWS | Identity in the cloud by uday
- How to get PublisherId, OfferId , PlanId of AI foundry model?
- How to run yaml file from Azure cloud shell
- query_parameters with web queries
- Issue with azure web app runtime stack .NET 6
- Azure Maps Forward Geocoding and Route Matrix API - billing and cost perspective
- How to get a list of available vm sizes in an azure location
- SSL Verification failed while sending data via MQTT to x509 authenticated device in azure iot-hub
- Azure Container Apps Jobs with Event Hubs integration is looping endlessly, even though there is no new events
- In Service Fabric, can I alter the Arguments in the ServiceManifest.xml file using Application Parameters?
- use azurerm_virtual_machine with trusted_launch
- Which IPs to allow in Azure for Github Actions?
- How to get last login date & time for the logged in user in azure ad?
- Azure Policy - restrict creation of Front Door to Standard SKU Only
- Set-AzVirtualNetwork does not attach Nat Gateway to a subnet in Azure
- Signing an msi with AzureSignTool seems to work but "it is not in the Trusted Root Certification Authorities store."
- No such host is known - Mass Transit - Azure Service Bus
- Set default app pool recycling via command line
- Azure : How to create a event based trigger from SFTP server?
- Create a new cluster in Databricks using databricks-cli
- Accessing MS 365 content dynamically from a Python script
- Azure LogicApp reading messages from storage queue but not processing
- Azure python sdk resourcegraph no skip_token
- How can I copy the TXT record into the DNS configuration in portal azure?
- Getting the user's AcccountEnabled property true/false instead of NULL
- How to read my outlook mail using java and oauth2.0 with application regsitration in Azure AD
- Playwright driver not found error in Azure Function (Azure Portal - Flex consumption plan)
- Microsoft Azure App Gateway Returning 499/504 Erorr
- No such file or directory: '/home/vsts/work/_temp/.azclitask/bin/bicep' when doing az deployment mg in an Azure DevOps pipeline
- Azure Functions Service Bus Triggered not working
- Allow a custom content-type in Azure Front Door WAF without bypassing rules