Announcing Azure Active Directory (Azure AD) workload identity for Kubernetes

By Anish Ramasekar, Principal Software Engineer, Microsoft

Content type
Project updates
News

Topic
Application Development

Today, we are excited to announce an open-source project called Azure AD workload identity for Kubernetes. It leverages the public preview capability of Azure AD workload identity federation. With this project, developers can use native Kubernetes concepts of service accounts and federation to access Azure AD protected resources, such as Azure and Microsoft Graph, without needing secrets.

The existing Azure AD Pod Identity project addresses this need. However, the Azure AD workload identity approach is simpler to use and deploy, and overcomes several limitations in Azure AD Pod Identity:

Removes the scale and performance issues that existed for identity assignment.
Supports Kubernetes clusters hosted in any cloud.
Supports both Linux and Windows workloads.
Removes the need for Custom Resource Definitions and pods that intercept IMDS (Instance Metadata Service) traffic.
Avoids the complication and error-prone installation steps such as cluster role assignment.

How does this work?

As shown in the following graphic, the Kubernetes cluster becomes a token issuer, issuing tokens to Kubernetes Service Accounts. These tokens can be configured to be trusted on Azure AD applications. They can then be exchanged for an Azure AD access token using the Azure Identity SDKs or the Microsoft Authentication Library (MSAL).

UML workflow diagram of Workload Identity token process.

To learn more, see the documentation in the Azure Workload Identity open-source project. See also the Azure AD documentation for workload identity federation for an overview.

What is next?

Azure AD workload identity federation for Kubernetes is currently supported only on Azure AD applications. We intend to extend the same model for Azure managed identities.

In the coming months, we plan to replace Azure AD Pod Identity with Azure Workload Identity. Our goal is to equip users who are already using Azure AD Pod Identity to move to Azure Workload Identity with minimal changes.

We appreciate all input from the community. Please share any feedback or questions via GitHub issues or discussions. Your support will help shape the project to meet community needs for ensuring secure access to Azure AD protected resources from Kubernetes workloads.

Anish Ramasekar

Principal Software Engineer, Microsoft

Anish Ramasekar is a software engineer at Microsoft, where he works on the Azure Container Upstream team, building features for Kubernetes upstream and various CNCF projects that power Azure Kubernetes Service. He is a co-chair of Kubernetes SIG Auth and a maintainer of the Secrets Store CSI Driver project.

See more articles from this author

Apr 28 •

2 min read

Continuing the story of early DOS development

In 2018 we (re)-open-sourced MS‑DOS 1.25 and 2.11, and more recently in 2024 we were able to make the source for MS‑DOS 4.0 available to the public as well. Today, on 86-DOS 1.00’s 45th anniversary, we’re continuing that tradition with the earliest DOS source code discovered to date.
Apr 9 •

6 min read

How Drasi used GitHub Copilot to find documentation bugs

How Microsoft uses AI agents and Drasi to keep open‑source documentation accurate and working.
Apr 2 •

6 min read

Introducing the Agent Governance Toolkit: Open-source runtime security for AI agents

Microsoft unveils the Agent Governance Toolkit to bring OS‑level security, trust, and compliance to autonomous AI agents.
Mar 24 •

6 min read

What’s new with Microsoft in open-source and Kubernetes at KubeCon + CloudNativeCon Europe 2026

At KubeCon + CloudNativeCon Europe 2026 in Amsterdam, we're making announcements that reflect the goal of bringing the operational maturity of Kubernetes to today's workloads and demands.