No Certs, No Secrets: Microsoft Graph on Azure using Entra Workload Identity Federation and Amazon Cognito (OIDC)

I recently needed to authenticate a server side only app with Microsoft Graph, without the requirements for client secrets or certificates (which require manual rotation in a enterprise security context). The solution is to use Microsoft Entra Workload Identity Federation (WIF) with Open ID Connect (OIDC) so that an app can obtain tokens by trusting an external OIDC identity provider, in this case Microsoft Azure AD. I could not find a good guide for this online so I decided to write my own. There are a number of steps required to make this solution a possible, as follows: Create an Identity Pool in Amazon Cognito Create an IAM Policy to allow access to said Pool Request a JWT from Amazon Cognito to create an identity Create an Azure AD app registration Configure the Azure AD app to trust the Identity Pool as an OIDC provider Exchange a JWT from Amazon Cognito with Microsoft for an Azure JWT 1. Create an Identity Pool in Amazon Cognito Amazon Cognito Identity Pools is a service that is