Posts

TL;DR Use my demo OpenID Connect provider to test workload identity federation in Entra ID. Use my Terraform module and example to create an Azure AD application with federated identity credentials. Play with workload identity federation without the need for secrets. Integrate your workloads with external identity providers like GitHub or Kubernetes. Introduction No more secrets! It is 2025, and our identity operations should be more secure and easier to manage. Microsoft Entra ID Workload Identity Federation enables you to utilise external identity providers (such as GitHub, Workload on Kubernetes cluster, SPIFFE, or SPIRE) to authenticate workloads without requiring secrets. In this post, I’ll guide you through setting up federated identity credentials in Entra ID using a custom OIDC provider and Terraform. ...

No more Custom Policies & Identity Experience Framework With the new Entra External ID and Entra ID, we can use the built-in policies for authentication. Entra External ID technical details and requirements: authentication method must be supported by the tenant; no custom authentication methods via user flow, we can select a password or OTP (one-time password) method. no custom methods like magic link or passwordless (yet!) no ADMIN API to authenticate users; no API connector to use external API for authentication; Compare User with password and OTP ...

Changelog 2025-04-09 - initial version 2025-04-11 - updated with AADInternals OSINT tool Tenant public information Your tenant-id With the page https://www.whatismytenantid.com/, you can find your TenantID How does it work? We can check the Network tab of the browser and find a query to the OpenID Configuration endpoint based on the domain: https://login.microsoftonline.com/{{YOUR-DOMAIN-HERE}}/.well-known/openid-configuration ^ We can also find a tenant location with the tenant_region_scope field. ^ Whatismytenantid doesn’t work? You can get the same from the website https://gettenantpartitionweb.azurewebsites.net/! ...

Identity Provider Story Basic assumptions: in-browser authentication, with OAuth2/OpenID Connect (but also applicable for SAML), for Web, SPA and Mobile applications. Let’s start with a story: The user enters the address ‘https://portal.my-company.com’ to check company news; without an active session in the application (cookie or token), the application will be redirected to the Identity Provider (IdP) - authentication is required. After the identity verification and authorization, an IdP session will be created and the user redirected to the application. ...

TR;DR We often use https://www.minuteinbox.com/ to test CIAM solutions with unique email addresses, but is it perfect? With our domain and OpenTrashmail, we can improve our solution. After a year or two, we can still activate the old account (reset password or OTP access) - it is not possible via 10 min mail (the domain for email is changing, and the old one is not accessible). Setting Up OpenTrashmail with Your Domain for E2E Testing Email testing is often a critical part of end-to-end (E2E) testing for applications that send notifications, verification codes, or other important communications. Running our disposable email service gives you full control over test mailboxes and simplifies your testing workflow. Here’s how to set up OpenTrashmail: ...

What is Token Enrichment? Entra External ID token enrichment is a process where additional claims, attributes, or context are added to authentication tokens (ID Token, Access Token or both) during the authentication flow. This enrichment enhances the security token with supplementary information that can be useful for authorization decisions and user context. Common examples include: Customer ID from your CRM system User ID from an external profile store Authorization context from your application Role information from Fine-Grained Authorization systems like OpenFGA The enrichment happens through a REST API call with a fixed contract defined by the Entra ID team. At the end of this post, you’ll find the complete API contract specification. ...

TL;DR I’m using AI tools to generate code for my projects. Here I want to show you GitHub Copilot, Bolt, Aider, and GitHub Copilot Workspace. I’m happy with the results from Aider with the Claude AI model, and Bolt is perfect for generating a nice starting point for my front-end projects. GitHub Copilot is ideal for small code snippets. Introduction Happy New Year! This post will be my summary and notes on how I use AI daily as a software developer, or maybe it will be better to name it proof of concept or demo developer ;) I will focus only on the tools that help me write/generate the code. ...

Make life easier with Entra ID as Code TL;DR It is the end of 2024; daily, we use the following: CI/CD pipelines for infrastructure as code (IaC) deployment to create Services, Applications, Storages, etc, permissions (RBAC) from resources to resources (App Service WebApp1 should read Blob Storage WebApp1Storage), secrets, we hate them, but we found a solution to avoid secrets with Managed Identity and Workload Identity solutions, What is the plan for us? We will use Azure Portal and Entra ID blade to manage our applications, permissions, and secrets. We can create and update our app registrations via the browser. Can we improve our Entra ID and Entra External ID with IaC, as shown in the screenshot (Picture 1) below? ...

Blue-green deployment starter pack. TL;DR I want to share a simple way to start with blue-green deployment. From the diagram to the working solution. Please check my sample GitHub repository with the bicep sample for Azure FrondDoor and Azure App Service (two instances). Reason I want to start with the meme - but it is not - it is a real case! Do you want to check the newest .Net Framework with your (legacy) application? Or do you want to test a clean deployment process for your infrastructure? In the perfect scenario, 100% test coverage and integration and E2E tests for each service and delivery team will bring you 99.99% confidence in the deployment process. But in the real world, I’m not blaming, but the standard case is that a secret, password, or production endpoint can fail and disable the whole application for seconds, minutes, or hours. ...

Welcome to the Magic World Technical Details Magic Link - (link with the magic) - like the name is a URL - a link to the action (Internet page). Example : https://corp.io/sign-in?id_token_hint=bWFnaWMgbGluaw== (decode the token from Base64 to see what is inside). To make the public communication secured - a common implementation is JWT (Json Web Token) with JWKS (Json Web Key Sets). The payload is JSON - easy to interpret. ...