- Deployment System Target: [e.g., GitHub Runner Pipeline / Kubernetes Pod / AI Vector Agent]
- Target Cloud Provider: [e.g., Microsoft Azure / AWS / GCP]
- Execution Date: [Date]
- Compliance Status: [Pass / Fail / Audited]
- AI Ingestion Agent Status: [Enabled / Disabled / Programmatic API Hook]
This matrix anchors the globally unique root coordinates of the identity directory and the targeted asset deployment environment.
- Resource A (Source Identity Center) - Tenant ID: [___________________________] Sourced via API/Portal Overview
- Resource B (Target Asset Environment) - Subscription ID: [___________________________] Sourced via API/Portal Billing Scope
Track the live state of the physical infrastructure assets deployed inside the target resource boundary.
- Target Cloud Asset Type: [e.g., Azure Key Vault / Azure Blob Storage]
- Provisioned Resource Name: [___________________________]
- Resource Group Perimeter: [___________________________]
- Manual Lookup: Extracted from portal browser surfaces.
- AI Agent Programmatic Discovery: Automated JSON variable extraction via CLI/PowerShell script telemetry.
Before moving past Phase 1, the following logical condition must be manually audited or AI-verified.
[ HARD BOOLEAN VALIDATION ] Are both the target subscription asset and the identity directory actively nested under the identical root tenant domain structure?
- SUCCESS: Workspace paths cryptographically align. AI agent records identifiers.
- FAILURE / INTERRUPTED: Mismatched tenant directory context detected. Cross-cloud routing will fail validation before token issuance.
Document the primary administrative naming convention and unique identifier generated for the machine account.
- Configured Application Name: [___________________________] (e.g., AI-Identity-Prod)
- Application (Client) ID: [___________________________] (Public username string extracted automatically by AI agent)
Enforce the structural constraints chosen during the initialization of the application object.
Supported Account Type Selection:
- Potential A: Single-Tenant (Accounts in this organizational directory only - standard for internal enterprise/AI workloads)
- Potential B: Multi-Tenant (Accounts in any organizational directory - required for external B2B SaaS applications)
- Potential C: Multi-Tenant and Personal Microsoft Accounts (Enterprise software with integrated consumer account access)
- Potential D: Personal Microsoft Accounts Only (Isolates identity entirely within the consumer-grade ecosystem)
Redirect URI (Reply URL) Configuration:
- Left Entirely Blank (Optimized for headless background runners and automated AI workloads)
- Populated (Interactive web application human-login redirection routing)
Before moving past Phase 2, the following logical condition must be audited and affirmed.
[ HARD BOOLEAN VALIDATION ] Has the directory portal successfully initialized both the Application Object blueprint and the local enterprise Service Principal card?
- SUCCESS: Both structural objects exist in the tenant; Application ID is recorded into the ledger by the AI runtime context.
- FAILURE / INTERRUPTED: Registration incomplete or app suspended. External runners cannot reference the identity.
Document the precise OpenID Connect (OIDC) metadata properties configured to anchor the cross-platform trust root.
- Federated Credential Name: [___________________________] (e.g., github-main-branch)
- Issuer URL:
https://token.actions.githubusercontent.com - Audience Mapping:
api://AzureADTokenExchange
- GitHub Actions: CI/CD automation pipeline tracking.
- Kubernetes Workloads: Maps trust to container cluster OpenID Connect Issuer URL.
- Managed Identity: Cross-app localized trust anchor between distinct application objects.
- Other Issuer: Custom external vendor platforms utilizing raw string entries.
Record the explicit, case-sensitive string used to isolate inbound authentication directly to your approved code or runtime perimeter.
- Target Repository Owner / Org: [___________________________] (e.g., Compcode1)
- Target Repository Name: [___________________________] (e.g., machine-identity-1)
Target Entity Type Deployment Gate:
-
Environment
-
Branch
-
Pull Request
-
Tag
-
Target Execution Path Name (Branch/Env/Tag Name): [___________________________] (e.g., main)
-
Final Computed Subject String (sub):
repo:[Org]/[Repo]:ref:[Path] -
Actual Form:
repo::ref:
Verify compliance against strict zero-trust identity isolation boundaries.
- [ YES ] Is the final Subject identifier completely explicit and free of broad production wildcards (*)?
- [ YES ] Has the exact string casing been verified against the external repository path to prevent silent character-match failure states?
Before moving past Phase 3, the following logical condition must be audited and affirmed.
[ HARD BOOLEAN VALIDATION ] Has the cryptographic policy been successfully written into the Application Object's federated identity collection and locked?
- SUCCESS: Trust policy is active; identity token endpoint is listening for matching external claims. AI logs verified configurations.
- FAILURE / INTERRUPTED: Policy misconfiguration or invalid issuer URL string. Inbound handshakes will trigger immediate authentication drops.
Document the precise data-plane authorization scope assigned to the local Service Principal inside the resource target perimeter.
- Assigned Data-Plane Role: [___________________________] (Bypasses broad infrastructure control roles like Contributor)
- Target Resource Attachment Scope: [___________________________] (e.g., key-vault-sgt)
Map out the hard cryptographic token thresholds governing the lifecycle of the active automation run.
- Access Token (AT) Expiration Ceiling: 60 Minutes (Absolute value active for data-plane read/write actions)
- Refresh Token (RT) Availability: 0 Minutes (Blocked natively - long running scripts must execute a new OpenID Connect handshake)
Identify and apply explicit text-masking boundaries to intercept raw string outputs before they hit public build screens.
Telemetry Masking Rule Status:
- [ YES ] Repository environment variables are actively hidden (***) by the runner framework.
- [ YES ] Script-level output suppression commands and runtime masking directives are explicitly coded to intercept and redact dynamic data-plane variables in memory.
Before finalizing the ledger, the following logical condition must be audited and affirmed within the environment telemetry.
[ HARD BOOLEAN VALIDATION ] Has the machine runner bypassed broad infrastructure control roles and successfully authenticated directly against a data-plane role?
- SUCCESS: Pipeline logs show clean authorization and zero 403 Forbidden drop faults during asset reading. AI records a success state.
- FAILURE / INTERRUPTED: Authentication returns a success state, but subsequent asset data access drops with a standard 403 authorization error.