Use Workload Identity for secretless authentication when Jenkins runs in an environment that provides OIDC-based federated credentials (e.g. Kubernetes or any custom OIDC identity provider).

Prerequisites:

• An OIDC identity provider that issues JWT tokens (e.g. a Kubernetes cluster with OIDC Issuer or a custom OIDC provider hosted on a storage account).
• A Federated Identity Credential configured on the Entra ID App Registration, pointing to your OIDC issuer and matching the subject and audience of the issued tokens.
• The AZURE_FEDERATED_TOKEN_FILE environment variable set to the path of the JWT token file.

When this option is selected, no Client Secret or Certificate is required. The plugin reads the federated token from the file path specified in the AZURE_FEDERATED_TOKEN_FILE environment variable and uses it as a client_assertion when authenticating to Entra ID.

Alternatively if an AZURE_FEDERATED_TOKEN_FILE is not provided, you can use the OpenID Connect Provider plugin as the auth provider.

Click 'Advanced' and select credentials of one of these types:

• OpenID Connect id token
• OpenID Connect id token as file