Share via

Managed Identity (VM) access to SharePoint Online with Federated Credentials

Brennan Phoenix 0 Reputation points
2026-02-25T15:55:28.5333333+00:00

We have the following situation:

Legacy application (CRM 8.1.1 on premise) requires read/write access to SharePoint Online for document management to replace SP 2013. SP 2016/2019 are not viable as we cannot upgrade the CRM environment to 8.2 (minimum for server integration) so we are skipping to SP Online using a custom workaround.

The Solution is the following:

A Custom .NET WebAPI works as an intermediary for plugins, ADX portal (On Premise), and via a webResource CRM Forms access to SharePoint folders.

The .NET WebAPI authenticates to SP Online via an Entra App Registration that has SharePoint/Sites.Selected API Permission and has Write permissions to the SharePoint Site assigned via MS Graph.

Rather than use Certificates or Secrets, we chose to add Federated Credentials to the App Registration for the Managed Identity of the server hosting the WebAPI application. The WebAPI uses DefaultAzureCredential (which uses the Managed Identity of the VM) to get a Token for the SharePoint Online resource.
Our Dev and QA team thoroughly tested the WebAPI using this configuration and all was well. Testing took over one one week ending on Feb 23, 2026. Then, on Feb 24, 2026 authentication stopped working.

  • We have confirmed that the API Permissions are still on the App Registration in Entra
  • We have confirmed that the Write permissions for the App Registration are present on the targeted Site in MS-Graph
  • We have confirmed that the System Managed Identity based Federated Credentials are still present on the App Registration for the VM hosting the application
  • We have confirmed that no changes were made to the application or it's IIS environment on the VM.

At present we have fallen back to using a Certificate on the App Registration to authenticate the WebAPI (this was set up initially while developing the application on a local machine that does not have a System Managed Identity and was an easy backup to switch to).

Does anyone have any insight as to why the Managed Identity authenticating via Federated Credentials would suddenly stop working?

Microsoft 365 and Office | Development | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Teddie-D 12,845 Reputation points Microsoft External Staff Moderator
    2026-02-25T23:20:24.83+00:00

    Hi @Brennan Phoenix

    Thank you for posting your question in the Microsoft Q&A forum. 

    Based on your description, the issue appears to occur before SharePoint authorization, during the Managed Identity > Federated Credential > Entra application token exchange process, rather than within SharePoint or Sites.Selected permissions.  

    Federated identity credentials validate specific claims from the incoming Managed Identity token, including issuer (iss), subject (sub), and audience (aud). If those claims do not match the configured federated credential, Microsoft Entra ID will reject the token exchange request, even though the federated credential object, Managed Identity assignment, and SharePoint (Sites.Selected) permissions remain unchanged. 

    This strict claim validation is part of the workload identity federation security model.  

    If the claims presented in the token differ from what the federated credential expects, for example due to identity recreation, scope changes, or validation updates, authentication can fail even when no obvious configuration changes were made.  

    Here are some steps you may try: 

    -Remove the existing federated identity credential from the App Registration (not from the Managed Identity object). 

    -Recreate the federated credential using the VM’s Managed Identity to ensure the trust configuration aligns with the current token claims. 

    -Review Entra sign-in logs for AADSTS errors related to token exchange or workload identity federation. 

    -If deterministic stability is required, certificate-based authentication remains a mature alternative. Certificates use the OAuth 2.0 client credentials flow directly and do not depend on workload identity federation, which explains why certificate authentication continues to work as a fallback.  

    Reference: Overview of federated identity credentials in Microsoft Entra ID - Microsoft Graph v1.0 | Microsoft… 

    I hope this information is helpful. 

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

  2. Q&A Assist
    2026-02-25T15:55:44.3166667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    There are a few potential reasons why the Managed Identity authenticating via Federated Credentials might have suddenly stopped working:

    1. Propagation Delay: Changes to federated identity credentials can take time to propagate throughout the Azure environment. If there were any recent changes made to the federated identity configuration, it may take a while for those changes to be fully recognized across all nodes of the authorization service. During this time, token requests may fail due to outdated cached data. It is recommended to wait a short time after making changes before requesting a token and to implement retry logic for token requests to handle temporary failures.
    2. Token Caching Issues: If the token request was made shortly after the federated identity credential was configured or modified, it could have resulted in the error AADSTS70021: No matching federated identity record found for presented assertion. This suggests that the cache was not yet updated with the new information.
    3. Permissions and Role Assignments: Even though you confirmed that the API permissions and write permissions are still present, ensure that the managed identity still has the necessary role assignments on the SharePoint site. Sometimes, permissions can be inadvertently altered or revoked.
    4. Service Principal Issues: Verify that the service principal associated with the managed identity is still valid and has not been deleted or disabled. Any issues with the service principal could prevent successful authentication.
    5. Environment Changes: Although you mentioned that no changes were made to the application or its IIS environment, double-check for any updates or changes in the Azure environment or policies that might affect authentication.

    If these areas have been thoroughly checked and the issue persists, it may be beneficial to consult Azure support for further investigation into the managed identity and federated credential configuration.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.