az identity create: User-Assigned Managed Identity
az identity create provisions a user-assigned managed identity, the modern target for federated OIDC logins.
For keyless GitHub Actions auth you federate a managed identity (or app registration) to your repo. identity create makes the identity; a federated credential ties it to the workflow.
What it does
az identity create provisions a user-assigned managed identity and returns its clientId and principalId. You then add a federated credential subjecting it to a specific GitHub repo and ref, and grant it roles, so azure/login can exchange an OIDC token for Azure access with no secret.
Common usage
az identity create \
--name id-ci --resource-group rg-app \
--query "{clientId:clientId, principalId:principalId}" -o json
# federate it to a GitHub workflow on main
az identity federated-credential create \
--name gh-main --identity-name id-ci -g rg-app \
--issuer https://token.actions.githubusercontent.com \
--subject repo:org/repo:ref:refs/heads/main \
--audiences api://AzureADTokenExchangeSubcommands and flags
| Subcommand / Flag | What it does |
|---|---|
| identity create | Create the user-assigned identity |
| identity federated-credential create | Add an OIDC federation subject |
| --issuer | token.actions.githubusercontent.com for GitHub |
| --subject | repo:org/repo:ref:... or environment binding |
| --audiences | api://AzureADTokenExchange |
In CI
Feed the returned clientId to azure/login as client-id along with tenant-id and subscription-id, with no client secret. The --subject must match the workflow exactly (branch, tag, pull_request, or environment) or the token exchange is rejected. Grant the identity its roles with az role assignment create.
Common errors in CI
In the workflow, "AADSTS70021: No matching federated identity record found for presented assertion subject" means the --subject does not match the running ref; align it (e.g. ref:refs/heads/main vs pull_request). "AADSTS700016" means a wrong client-id. "AuthorizationFailed" after login means the identity has no role assignment yet.