MSAL: Cross-tenant federated auth of user-managed identities

by

Summary

The goal is to use MSAL (Microsoft Authentication Library) to obtain an OAuth2/OIDC token for a user-managed identity (B) in a different tenant (T2) than the calling workload (T1), which has its own user-managed identity (A). The token will be used to authenticate with the Azure DevOps REST API.

Root Cause

The main challenge is the cross-tenant federated authentication scenario, where identity A in tenant T1 needs to obtain a token for identity B in tenant T2. The current implementation uses PAT (Personal Access Token) authentication, which is not allowed in the new execution environment.

Why This Happens in Real Systems

This issue occurs in real systems when:

  • Multiple components need to interact with different services across different tenants
  • User-managed identities are used for authentication and authorization
  • Cross-tenant federation is required to enable communication between these components
  • Security policies prohibit the use of PAT tokens in certain environments

Real-World Impact

The impact of this issue includes:

  • Inability to authenticate with the Azure DevOps REST API using OAuth2/OIDC tokens
  • Limited flexibility in implementing cross-tenant federation scenarios
  • Increased complexity in managing user-managed identities and their interactions

Example or Code

IManagedIdentityApplication app = ManagedIdentityApplicationBuilder.Create(
    ManagedIdentityId.WithUserAssignedClientId("00000000-0000-0000-0000-000000000000"))
   .Build();

AuthenticationToken result = await app.AcquireTokenForManagedIdentity("...")
   .ExecuteAsync()
   .ConfigureAwait(false);

return result.AccessToken;

How Senior Engineers Fix It

To resolve this issue, senior engineers should:

  • Understand the MSAL library and its capabilities
  • Configure the user-managed identities correctly, including federated credentials
  • Use the correct arguments when building the ManagedIdentityApplicationBuilder and calling AcquireTokenForManagedIdentity
  • Ensure cross-tenant federation is properly set up and configured

Why Juniors Miss It

Junior engineers may miss this issue due to:

  • Lack of experience with MSAL and OAuth2/OIDC authentication
  • Insufficient understanding of cross-tenant federation and user-managed identities
  • Difficulty in configuring and troubleshooting Azure DevOps REST API authentication
  • Limited knowledge of security policies and their implications on authentication mechanisms