Submissions are now open for the 2026 Adobe Experience Maker Awards.
SOLVED
Using Federated Identity Credentials to connect AEMaaCS to Azure services?
1 Accepted Solution
Correct answer by
To connect Adobe Experience Manager as a Cloud Service (AEMaaCS) to Azure services-such as Azure Key Vault-using a user-assigned managed identity and federated identity credentials, you can avoid using client secrets or pinned client certificates by leveraging Azure's workload identity federation features.
Try the below steps -
1. Create a User-Assigned Managed Identity
az identity create --name aem-identity --resource-group my-rg --location eastus
2. Assign the Managed Identity Required Permissions - Give it access to KeyVault for example
az keyvault set-policy --name my-keyvault --object-id <object-id> --secret-permissions get
3. Configure a Federated Identity Credential
-
In the Azure portal, navigate to your user-assigned managed identity.
- Add Credential under Federated credentials in Settings
- Choose Other Issuer - Issuer, Subject, Audience, Name
4. Configure AEMaaCS to Issue Tokens
But please note IdP guest users (external users on a different domain to the main enterprise) are not supported as IMS federated ID users. Thus, guest/external users cannot be used to authenticate from AEMaaCS to Azure via federated identity credentials.
If you need to allow external users or systems to access Azure resources, you must:
-
Issue them identities on your claimed domain or
-
Use a different authentication mechanism (such as service principals with client secrets/certificates, or Azure AD app registrations).
Please go through the below documentation links too -
Hope this helps!
Regards,
Rohan Garg
@Shubham_borole, @Rohan_Garg, @Saravanan_Dharmaraj, @Sady_Rifat, @ShaggySPFLD, @Mahedi_Sabuj, @djohn98390536 Whenever you have a moment, please check out this question and share your knowledge!
Kautuk Sahni
Correct answer by
To connect Adobe Experience Manager as a Cloud Service (AEMaaCS) to Azure services-such as Azure Key Vault-using a user-assigned managed identity and federated identity credentials, you can avoid using client secrets or pinned client certificates by leveraging Azure's workload identity federation features.
Try the below steps -
1. Create a User-Assigned Managed Identity
az identity create --name aem-identity --resource-group my-rg --location eastus
2. Assign the Managed Identity Required Permissions - Give it access to KeyVault for example
az keyvault set-policy --name my-keyvault --object-id <object-id> --secret-permissions get
3. Configure a Federated Identity Credential
-
In the Azure portal, navigate to your user-assigned managed identity.
- Add Credential under Federated credentials in Settings
- Choose Other Issuer - Issuer, Subject, Audience, Name
4. Configure AEMaaCS to Issue Tokens
But please note IdP guest users (external users on a different domain to the main enterprise) are not supported as IMS federated ID users. Thus, guest/external users cannot be used to authenticate from AEMaaCS to Azure via federated identity credentials.
If you need to allow external users or systems to access Azure resources, you must:
-
Issue them identities on your claimed domain or
-
Use a different authentication mechanism (such as service principals with client secrets/certificates, or Azure AD app registrations).
Please go through the below documentation links too -
Hope this helps!
Regards,
Rohan Garg
@dylanmccurry Did you find the suggestions helpful? If you need more information, please let us know. If a response resolved your issue, kindly mark it as correct to help others in the future. Alternatively, if you discovered a solution on your own, we'd appreciate it if you could share it with the community. Thank you !
Kautuk Sahni
