From 6ed39fca73fafb3fb878427a55ed09ae1537bc1e Mon Sep 17 00:00:00 2001 From: Paul Van Eck Date: Thu, 22 Jan 2026 00:22:16 +0000 Subject: [PATCH 1/2] [Identity] TSG update for token binding Signed-off-by: Paul Van Eck --- sdk/identity/azure-identity/TROUBLESHOOTING.md | 1 + 1 file changed, 1 insertion(+) diff --git a/sdk/identity/azure-identity/TROUBLESHOOTING.md b/sdk/identity/azure-identity/TROUBLESHOOTING.md index a8521ccaf28b..c4f9a0f01057 100644 --- a/sdk/identity/azure-identity/TROUBLESHOOTING.md +++ b/sdk/identity/azure-identity/TROUBLESHOOTING.md @@ -277,6 +277,7 @@ Get-AzAccessToken -ResourceUrl "https://management.core.windows.net" | Error Message |Description| Mitigation | |---|---|---| |WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured|The `WorkloadIdentityCredential` requires `client_id`, `tenant_id` and `token_file_path` to authenticate with Microsoft Entra ID.| +|In an application using [Azure Kubernetes Service identity bindings](https://learn.microsoft.com/azure/aks/identity-bindings-concepts): |`WorkloadIdentityCredential` isn't configured to use the identity binding proxy|Set the `enable_azure_proxy` keyword argument to `True` when creating `WorkloadIdentityCredential`. ## Troubleshoot `AzurePipelinesCredential` authentication issues From 96580ee2832bc82c3f280860a74007c636fc4661 Mon Sep 17 00:00:00 2001 From: Paul Van Eck Date: Sat, 24 Jan 2026 01:43:33 +0000 Subject: [PATCH 2/2] Update formatting Signed-off-by: Paul Van Eck --- sdk/identity/azure-identity/TROUBLESHOOTING.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sdk/identity/azure-identity/TROUBLESHOOTING.md b/sdk/identity/azure-identity/TROUBLESHOOTING.md index c4f9a0f01057..148f2e0544da 100644 --- a/sdk/identity/azure-identity/TROUBLESHOOTING.md +++ b/sdk/identity/azure-identity/TROUBLESHOOTING.md @@ -276,8 +276,13 @@ Get-AzAccessToken -ResourceUrl "https://management.core.windows.net" | Error Message |Description| Mitigation | |---|---|---| -|WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured|The `WorkloadIdentityCredential` requires `client_id`, `tenant_id` and `token_file_path` to authenticate with Microsoft Entra ID.|
  • If using `DefaultAzureCredential` then:
    • Ensure client ID is specified via the `workload_identity_client_id` keyword argument or the `AZURE_CLIENT_ID` env variable.
    • Ensure tenant ID is specified via the `AZURE_TENANT_ID` env variable.
    • Ensure token file path is specified via `AZURE_FEDERATED_TOKEN_FILE` env variable.
    • Ensure authority host is specified via `AZURE_AUTHORITY_HOST` env variable.
  • If using `WorkloadIdentityCredential` then:
    • Ensure tenant ID is specified via the `tenant_id` keyword argument or the `AZURE_TENANT_ID` env variable.
    • Ensure client ID is specified via the `client_id` keyword argument or the `AZURE_CLIENT_ID` env variable.
    • Ensure token file path is specified via the `token_file_path` keyword argument or the `AZURE_FEDERATED_TOKEN_FILE` environment variable.
  • Consult the [product troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for other issues.
-|In an application using [Azure Kubernetes Service identity bindings](https://learn.microsoft.com/azure/aks/identity-bindings-concepts):
  • AADSTS700211: No matching federated identity record found for presented assertion issuer ...
  • AADSTS700212: No matching federated identity record found for presented assertion audience 'api://AKSIdentityBinding'.
|`WorkloadIdentityCredential` isn't configured to use the identity binding proxy|Set the `enable_azure_proxy` keyword argument to `True` when creating `WorkloadIdentityCredential`. +|WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured|The `WorkloadIdentityCredential` requires `client_id`, `tenant_id` and `token_file_path` to authenticate with Microsoft Entra ID.|
  • If using `DefaultAzureCredential` then:
    • Ensure client ID is specified via the `workload_identity_client_id` keyword argument or the `AZURE_CLIENT_ID` env variable.
    • Ensure tenant ID is specified via the `AZURE_TENANT_ID` env variable.
    • Ensure token file path is specified via `AZURE_FEDERATED_TOKEN_FILE` env variable.
    • Ensure authority host is specified via `AZURE_AUTHORITY_HOST` env variable.
  • If using `WorkloadIdentityCredential` then:
    • Ensure tenant ID is specified via the `tenant_id` keyword argument or the `AZURE_TENANT_ID` env variable.
    • Ensure client ID is specified via the `client_id` keyword argument or the `AZURE_CLIENT_ID` env variable.
    • Ensure token file path is specified via the `token_file_path` keyword argument or the `AZURE_FEDERATED_TOKEN_FILE` environment variable.
  • Consult the [product troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for other issues.
| + +#### `ClientAuthenticationError` for applications using [Azure Kubernetes Service identity bindings](https://learn.microsoft.com/azure/aks/identity-bindings-concepts) + +| Error Message |Description| Mitigation | +|---|---|---| +|
  • AADSTS700211: No matching federated identity record found for presented assertion issuer ...
  • AADSTS700212: No matching federated identity record found for presented assertion audience 'api://AKSIdentityBinding'.
|`WorkloadIdentityCredential` isn't configured to use the identity binding proxy|Set the `enable_azure_proxy` keyword argument to `True` when creating `WorkloadIdentityCredential`. Note that identity binding mode isn't supported when `WorkloadIdentityCredential` is used via `DefaultAzureCredential`. `WorkloadIdentityCredential` should be used directly in this scenario.| ## Troubleshoot `AzurePipelinesCredential` authentication issues