Entra Cross-Tenant Trust Using Managed Identity Secret-Free Approach
In this video, we experiment with a new (as of December 2024) Microsoft Entra preview feature that allows configuring an application to trust a managed identity from another tenant.
This feature enables exchanging a managed identity token for an access token to interact with Microsoft Entra-protected resources — all without needing app secrets.
This capability is especially useful in scenarios where maintaining secrets is impractical or poses a security risk. For example, a workload in Tenant A can securely access resources in Tenant B using only its managed identity, simplifying cross-tenant integrations.
In the video, we walk through the steps to set this up and explore key considerations for using this feature and its current limitations.
This builds on concepts discussed in my February 2022 video Azure Active Directory Workload Identity Federation with external OIDC IdP.
You can find the sample code used in this demo at https://github.com/arsenvlad/entra-cross-tenant-app-fic-managed-identity
Video Walkthrough
Tip: Play the video full screen.
Supported Scenario
Not Supported Scenarios
Thank you!
I’d love to hear your thoughts on this feature and how you might use it in your projects.
Please let me know in the comments below, on the YouTube video, or on https://x.com/ArsenVlad