Turbot Guardrails can now bring an entire Azure tenant under governance using Workload Identity Federation — a keyless connection in which Guardrails authenticates to your tenant with the AWS identity it already runs as. One federated handshake brings every subscription and management group under management, with nothing sensitive crossing the boundary between clouds.
It is the same keyless model Guardrails brings to GCP, and in the Create Connection wizard it comes pre-selected and recommended. The traditional client-secret connection still works exactly as before and remains fully supported — Workload Identity Federation is simply the keyless alternative we now recommend.
A credentials step with no secret to fill in
Open the Create Connection wizard and the difference is immediate. Workload Identity Federation comes pre-selected and marked Recommended, and the credentials step asks only for the identifiers Guardrails needs to find your tenant. There is no client secret field, because there is no secret. You are configuring a trust relationship, not handing over a key.
Workload Identity Federation is pre-selected and recommended — and there is no client secret field to fill in
Trust anchored to an identity, not a stored key
Keyless does not mean unverified — it means stronger. Rather than holding a secret, Guardrails proves its own AWS identity to mint a short-lived token that Microsoft Entra ID is configured to trust. Entra ID hands back a scoped access token, and Guardrails reads your tenant through Azure Resource Manager. Because trust is rooted in the exact AWS account and role Guardrails runs as, there is nothing sitting anywhere that can be copied, leaked, or left to expire — and every federation is recorded in AWS CloudTrail, giving you a verifiable account of when and how Guardrails reached your tenant. The same keyless model works across commercial and sovereign clouds alike — Global, US Government, and China — so it is on the table wherever your tenant runs.
One generated script on the Azure side
Setting up the trust relationship is a single script the wizard generates for you, pre-filled with everything it needs. You run it once against your tenant and the Azure side is done. The AWS side is handled automatically — Guardrails has already done its part — so there is no infrastructure to stand up and no second cloud to wrangle. The experience is the same whether you run Guardrails as a managed service or self-hosted, and the Create Connection wizard walks you through every step.
A single generated script sets up the Azure side; the wizard handles the AWS side automatically
Discover the whole tenant in one move
Run the script, return to the wizard, and Guardrails discovers your entire tenant — every subscription and every management group — in a single move. No per-subscription credential handoffs, no onboarding accounts one at a time. The connection that took no stored secret to establish now gives you a complete map of the tenant, ready to govern.
One keyless round-trip enumerates the whole tenant — subscriptions and management groups
Control exactly what gets discovered
Discovering the whole tenant does not mean taking it all on at once. You choose how deeply Guardrails looks: set a discovery level across the tenant hierarchy, let management-group settings cascade to the subscriptions beneath them, and override individual subscriptions where you need to. And federation changes nothing about how Guardrails is scoped once it is in — the same access model applies as with a client secret, read-only for visibility, or full governance with remediation when you want Guardrails to act.
Set discovery levels across the tenant hierarchy, with cascading defaults and per-subscription overrides
Keyless connections for your entire stack
Keyless Azure connection with Workload Identity Federation brings the same prevention-first foundation enterprise teams already rely on across AWS, GCP, GitHub, and OCI. Bring a whole tenant under governance with no secret to store or rotate, anchor trust to the exact AWS identity Guardrails runs as, audit every federation in CloudTrail, and let one generated script finish the Azure side. GCP connects the very same keyless way.
The tenant under governance in Guardrails — connected with zero stored credentials
Interested in connecting your Azure environment to Guardrails without storing a single client secret? Connect with us to get your free preventive security posture assessment.