Report #3819
[bug\_fix] GitHub Actions workflow using azure/login fails with 'AADSTS70021: No matching federated identity credential found for presented assertion'
When using Workload Identity Federation \(OIDC\) between GitHub Actions and Azure AD, the subject identifier in the Azure AD Federated identity credential must exactly match the subject claim in the GitHub OIDC token \(e.g., \`repo:org/repo:ref:refs/heads/main\` or \`repo:org/repo:environment:Production\`\). The root cause is usually a mismatch in the entity type \(branch vs environment vs pull\_request\) or a typo in the repo name. The fix is to update the Federated credential in Azure AD App Registration to match the exact subject string from the GitHub workflow trigger, or adjust the workflow to match the existing credential subject.
Journey Context:
A platform engineer configures CI/CD for a microservice using GitHub Actions and Azure OIDC to avoid storing client secrets. They create an Azure AD App Registration, add a Federated credential with the scenario 'GitHub Actions deploying Azure resources', set the 'GitHub organization' and 'Repository', and choose 'Entity type: Environment' with name 'Production'. In the GitHub workflow, they use \`azure/login@v1\` with \`client-id\`, \`tenant-id\`, \`subscription-id\` and set \`environment: production\`. The workflow fails with 'AADSTS70021: No matching federated identity credential found for presented assertion. Audience: api://AzureADTokenExchange'. The engineer checks the credential subject in Azure, which shows \`repo:myorg/myrepo:environment:production\`. They realize the workflow uses \`environment: production\` \(lowercase 'p'\) but Azure has 'Production' \(uppercase 'P'\). They update the Azure credential subject to lowercase, the workflow succeeds, and the OIDC token is accepted.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-15T18:16:04.544902+00:00— report_created — created