Migrated GitHub Actions authentication from client secrets to OIDC

Author: Vamshi-Microsoft

.github/workflows/CI.yml

@@ -16,6 +16,7 @@ on:
   schedule:
     - cron: "0 10,22 * * *" # Runs at 10:00 AM and 10:00 PM GMT
 permissions:
+  id-token: write
   contents: read
   actions: read
 env:
@@ -25,6 +26,7 @@ env:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    environment: production
     outputs:
       RESOURCE_GROUP_NAME: ${{ steps.get_webapp_url.outputs.RESOURCE_GROUP_NAME }}
       KUBERNETES_RESOURCE_GROUP_NAME: ${{ steps.get_webapp_url.outputs.KUBERNETES_RESOURCE_GROUP_NAME }}
@@ -78,6 +80,14 @@ jobs:
         with:
           driver: docker
 
+      - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+
       - name: Run Quota Check
         id: quota-check
         shell: pwsh
@@ -105,9 +115,6 @@ jobs:
           }
         env:
           AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
           GPT_MIN_CAPACITY: ${{ env.GPT_CAPACITY }}
           TEXT_EMBEDDING_MIN_CAPACITY: ${{ env.TEXT_EMBEDDING_CAPACITY }}
           AZURE_REGIONS: "${{ vars.AZURE_REGIONS }}"
@@ -158,11 +165,6 @@ jobs:
           echo "RESOURCE_GROUP_NAME=${UNIQUE_RG_NAME}" >> $GITHUB_ENV
           echo "Generated RESOURCE_GROUP_NAME: ${UNIQUE_RG_NAME}"
 
-      - name: Login to Azure
-        run: |
-          az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
-          az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
       - name: Check and Create Resource Group
         id: check_create_rg
         run: |
@@ -252,11 +254,8 @@ jobs:
           Write-Host "Resource Group Name is ${{ env.RESOURCE_GROUP_NAME }}"
           Write-Host "Kubernetes resource group is ${{ env.AZURE_AKS_NAME }}"
         env:
-          # From GitHub secrets (for login)
+          # From GitHub secrets
           AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          AZURE_TENANT_ID:       ${{ secrets.AZURE_TENANT_ID }}
-          AZURE_CLIENT_ID:       ${{ secrets.AZURE_CLIENT_ID }}
-          AZURE_CLIENT_SECRET:   ${{ secrets.AZURE_CLIENT_SECRET }}
 
           # From deployment outputs step (these come from $GITHUB_ENV)
           RESOURCE_GROUP_NAME:          ${{ env.RESOURCE_GROUP_NAME }}
@@ -292,10 +291,9 @@ jobs:
           if az account show &> /dev/null; then
             echo "Azure CLI is authenticated."
           else
-            echo "Azure CLI is not authenticated. Logging in..."
-            az login --service-principal --username ${{ secrets.AZURE_CLIENT_ID }} --password ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
+            echo "Azure CLI is not authenticated. Please check the OIDC login step."
+            exit 1
           fi
-          az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
           # Get the Web App URL and save it to GITHUB_OUTPUT
           echo "Retrieving Web App URL..."
@@ -393,6 +391,7 @@ jobs:
     if: always()
     needs: [deploy, e2e-test]
     runs-on: ubuntu-latest
+    environment: production
     env:
       RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }}
       KUBERNETES_RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.KUBERNETES_RESOURCE_GROUP_NAME }}
@@ -402,10 +401,11 @@ jobs:
 
     steps:
       - name: Login to Azure
-        shell: bash
-        run: |
-          az login --service-principal --username ${{ secrets.AZURE_CLIENT_ID }} --password ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
-          az account set --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Delete Resource Groups
         if: env.RESOURCE_GROUP_NAME != ''

.github/workflows/deploy-orchestrator.yml

@@ -77,7 +77,8 @@ jobs:
     secrets: inherit
 
   send-notification:
-    if: "!cancelled()"
+    # if: "!cancelled()"
+    if: false # Temporarily disable notification job
     needs: [deploy, e2e-test]
     uses: ./.github/workflows/job-send-notification.yml
     with:

.github/workflows/deploy-linux.yml .github/workflows/deploy-v2.yml.github/workflows/deploy-linux.yml renamed to .github/workflows/deploy-v2.yml

@@ -68,6 +68,11 @@ on:
         default: ''
         type: string
 
+permissions:
+  id-token: write
+  contents: read
+  actions: read
+
 jobs:
   validate-inputs:
     name: Validate Input Parameters

.github/workflows/job-cleanup-deployment.yml

@@ -40,6 +40,7 @@ on:
 jobs:
   cleanup-deployment:
     runs-on: ubuntu-latest
+    environment: production
     continue-on-error: true
     env:
       RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
@@ -150,10 +151,11 @@ jobs:
           az --version
 
       - name: Login to Azure
-        shell: bash
-        run: |
-          az login --service-principal --username ${{ secrets.AZURE_CLIENT_ID }} --password ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
-          az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Delete Resource Group (Optimized Cleanup)
         id: delete_rg

.github/workflows/job-deploy-linux.yml

@@ -36,6 +36,7 @@ on:
 jobs:
   deploy-linux:
     runs-on: ubuntu-latest
+    environment: production
     env:
       AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
     outputs:
@@ -221,10 +222,15 @@ jobs:
         uses: Azure/setup-azd@v2
 
       - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Login to azd
         run: |
-          az login --service-principal --username ${{ secrets.AZURE_CLIENT_ID }} --password ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
-          az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          azd auth login --client-id ${{ secrets.AZURE_CLIENT_ID }} --client-secret ${{ secrets.AZURE_CLIENT_SECRET }} --tenant-id ${{ secrets.AZURE_TENANT_ID }}
+          azd auth login --client-id ${{ secrets.AZURE_CLIENT_ID }} --federated-credential-provider "github" --tenant-id ${{ secrets.AZURE_TENANT_ID }}
 
 
       - name: Deploy using azd up
@@ -299,15 +305,20 @@ jobs:
               echo "AKS node resource group: $krg_name"
             fi
           fi
+      
+      - name: Login to Azure to refresh credentials for subsequent steps
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
 
       - name: Run Deployment Script with Input
         shell: pwsh
         env:
-          # From GitHub secrets (for login)
+          # From GitHub secrets
           AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          AZURE_TENANT_ID:       ${{ secrets.AZURE_TENANT_ID }}
-          AZURE_CLIENT_ID:       ${{ secrets.AZURE_CLIENT_ID }}
-          AZURE_CLIENT_SECRET:   ${{ secrets.AZURE_CLIENT_SECRET }}
 
           # From workflow inputs and deployment outputs
           RESOURCE_GROUP_NAME:          ${{ inputs.RESOURCE_GROUP_NAME }}

.github/workflows/job-deploy.yml

@@ -85,6 +85,7 @@ jobs:
     name: Azure Setup
     if: inputs.trigger_type != 'workflow_dispatch' || inputs.existing_webapp_url == '' || inputs.existing_webapp_url == null
     runs-on: ubuntu-latest
+    environment: production
     outputs:
       RESOURCE_GROUP_NAME: ${{ steps.check_create_rg.outputs.RESOURCE_GROUP_NAME }}
       ENV_NAME: ${{ steps.generate_env_name.outputs.ENV_NAME }}
@@ -244,10 +245,12 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Login to Azure
-        shell: bash
-        run: |
-          az login --service-principal --username ${{ secrets.AZURE_CLIENT_ID }} --password ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
-          az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
 
       - name: Run Quota Check
         id: quota-check
@@ -275,9 +278,6 @@ jobs:
           }
         env:
           AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
           GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }}
           TEXT_EMBEDDING_MIN_CAPACITY: ${{ env.TEXT_EMBEDDING_MIN_CAPACITY }}
           AZURE_REGIONS: "${{ vars.AZURE_REGIONS }}"

.github/workflows/test-automation-v2.yml

@@ -28,6 +28,7 @@ env:
 jobs:
   test:
     runs-on: ubuntu-latest
+    environment: production
     outputs:
       TEST_SUCCESS: ${{ steps.test1.outcome == 'success' || steps.test2.outcome == 'success' || steps.test3.outcome == 'success' }}
       TEST_REPORT_URL: ${{ steps.upload_report.outputs.artifact-url }}
@@ -41,13 +42,11 @@ jobs:
           python-version: '3.13'
 
       - name: Login to Azure
-        env:
-          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
-          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-        run: |
-          az login --service-principal --username "$AZURE_CLIENT_ID" --password "$AZURE_CLIENT_SECRET" --tenant "$AZURE_TENANT_ID"
-          az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Install dependencies
         run: |

.github/workflows/test-automation.yml

@@ -15,9 +15,6 @@ on:
 env:
     url: ${{ inputs.DKM_URL }}
     accelerator_name: "DKM"
-permissions:
-  contents: read
-  actions: read
 jobs:
   test:
     runs-on: ubuntu-latest

Deployment/checkquota.ps1

@@ -8,24 +8,20 @@ Write-Output "📍 Processed Regions: $($REGIONS -join ', ')"
 $SUBSCRIPTION_ID = $env:AZURE_SUBSCRIPTION_ID
 $GPT_MIN_CAPACITY = $env:GPT_MIN_CAPACITY
 $TEXT_EMBEDDING_MIN_CAPACITY = $env:TEXT_EMBEDDING_MIN_CAPACITY
-$AZURE_CLIENT_ID = $env:AZURE_CLIENT_ID
-$AZURE_TENANT_ID = $env:AZURE_TENANT_ID
-$AZURE_CLIENT_SECRET = $env:AZURE_CLIENT_SECRET
-
-# Authenticate using Service Principal
-Write-Host "Authentication using Service Principal..."
 # Ensure Azure PowerShell module is installed and imported
 Install-Module -Name Az -AllowClobber -Force -Scope CurrentUser
 Import-Module Az
 
-# Create a PSCredential object for authentication
-$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AZURE_CLIENT_ID, (ConvertTo-SecureString $AZURE_CLIENT_SECRET -AsPlainText -Force)
-
-# Attempt to connect using Service Principal
+# Verify existing Azure session (authentication is handled by the caller workflow via OIDC)
 try {
-    Connect-AzAccount -ServicePrincipal -TenantId $AZURE_TENANT_ID -Credential $creds
+    $context = Get-AzContext
+    if (-not $context) {
+        Write-Host "❌ Error: No active Azure session found. Ensure the caller workflow authenticates via azure/login@v2 with enable-AzPSSession: true."
+        exit 1
+    }
+    Write-Host "✅ Using existing Azure session: $($context.Account.Id)"
 } catch {
-    Write-Host "❌ Error: Failed to authenticate using Service Principal. $_"
+    Write-Host "❌ Error: Failed to verify Azure session. $_"
     exit 1
 }
 

Deployment/resourcedeployment.ps1

@@ -120,11 +120,14 @@ function LoginAzure([string]$tenantId, [string]$subscriptionID) {
         }
     }
     if ($env:CI -eq "true"){
-        az login --service-principal `
-            --username $env:AZURE_CLIENT_ID `
-            --password $env:AZURE_CLIENT_SECRET `
-            --tenant $env:AZURE_TENANT_ID `
-        Write-Host "CI deployment mode"
+        # Authentication is handled by the caller workflow via OIDC (azure/login@v2)
+        $account = az account show 2>&1
+        if ($LASTEXITCODE -ne 0) {
+            Write-Host "❌ Error: No active Azure CLI session found. Ensure the caller workflow authenticates via azure/login@v2." -ForegroundColor Red
+            failureBanner
+            exit 1
+        }
+        Write-Host "CI deployment mode - using existing OIDC session"
     }
     else{
         az login --tenant $tenantId