Use Workload Identity for secretless authentication when Jenkins runs in an environment that provides OIDC-based federated credentials (e.g. Kubernetes, GitHub Actions, or any custom OIDC identity provider).

Prerequisites:

• An OIDC identity provider that issues JWT tokens (e.g. a Kubernetes cluster with OIDC Issuer, a custom OIDC provider hosted on a storage account, or GitHub Actions).
• A Federated Identity Credential configured on the Entra ID App Registration, pointing to your OIDC issuer and matching the subject and audience of the issued tokens.
• The AZURE_FEDERATED_TOKEN_FILE environment variable set to the path of the JWT token file.

When this option is selected, no Client Secret or Certificate is required. The plugin reads the federated token from the file path specified in the AZURE_FEDERATED_TOKEN_FILE environment variable and uses it as a client_assertion when exchanging the OIDC authorization code with Entra ID.