🏷️ Discussion Type

Bug

💬 Feature/Topic Area

Copilot in GitHub

Body

Copilot cloud agent OIDC token no longer includes environment in subject claim, breaking Azure federated credential login (regression ~May 2026)

Summary

The Copilot cloud agent's dynamic workflow (/dynamic/copilot-swe-agent/copilot@...) stopped including the GitHub Actions environment in the OIDC token's sub claim around early May 2026. This completely breaks Azure OIDC federated credential login for any setup using the environment:copilot subject pattern, which is the officially documented and recommended configuration per:

• Microsoft's azd coding-agent config extension ([blog post](https://devblogs.microsoft.com/azure-sdk/azure-developer-cli-copilot-coding-agent-config/))
• GitHub's Enterprise Cloud docs for Copilot + Azure MCP (docs)
• Microsoft's quickstart for Copilot coding agent Azure access ([docs](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/extensions/copilot-coding-agent-extension))

The Problem

When environment: copilot is set on the copilot-setup-steps job, the OIDC token's subject claim should be:

repo:<my-org>/<my-repo>:environment:copilot

Instead, since approximately May 5-9, 2026, the dynamic workflow emits:

repo:<my-org>/<my-repo>:ref:refs/heads/copilot/<branch-name>

This causes Azure to reject the token with AADSTS700213: No matching federated identity record found.

Evidence: Before and After

Same workflow file, same repository, same Azure federated credential, same managed identity. Nothing changed on our side.

SUCCESSFUL run (early May 2026):

Secret source: None
subject claim - repo:<my-org>/<my-repo>:environment:copilot              ✅ CORRECT
job_workflow_ref - /dynamic/copilot-swe-agent/copilot@refs/heads/copilot/<branch-name>
Azure CLI login succeeds by using OIDC.

FAILED run (~4 days later):

Secret source: AgentSecrets                                               ⚠️ CHANGED
subject claim - repo:<my-org>/<my-repo>:ref:refs/heads/copilot/<branch-name>    ❌ WRONG
job_workflow_ref - /dynamic/copilot-swe-agent/copilot@refs/heads/copilot/<branch-name>
Error: AADSTS700213: No matching federated identity record found

Key differences:

1. Secret source changed from None to AgentSecrets
2. OIDC subject changed from environment:copilot to ref:refs/heads/copilot/...

Self-Service Fix Attempted: OIDC Subject Claim Customization

I tried to fix this using the repository-level OIDC Configuration page (Settings > Actions > OIDC):

1. Unchecked "Use default template"
2. Set the Subject claim template to: repo, context
3. Saved successfully
4. Triggered a new Copilot cloud agent session

Result: The dynamic workflow completely ignored the custom template. The subject claim still showed ref:refs/heads/copilot/.... The context variable should resolve to the environment name when the job specifies environment: copilot (per [GitHub's OIDC docs](https://docs.github.com/en/actions/reference/security/oidc)), but the Copilot agent's dynamic workflow bypasses the repository-level OIDC subject claim customization entirely.

Our Configuration (matches all official docs)

copilot-setup-steps.yml:

on:
  workflow_dispatch:
permissions:
  id-token: write
  contents: read
jobs:
  copilot-setup-steps:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    environment: copilot
    steps:
      - name: Azure login
        continue-on-error: true
        uses: azure/login@v3
        with:
          client-id: ${{ vars.AZURE_CLIENT_ID }}
          tenant-id: ${{ vars.AZURE_TENANT_ID }}
          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}

Azure Federated Credential (User-Assigned Managed Identity):

Issuer:   https://token.actions.githubusercontent.com
Subject:  repo:<my-org>/<my-repo>:environment:copilot
Audience: api://AzureADTokenExchange

This is exactly what Microsoft's azd coding-agent config generates automatically.

Three Things the Dynamic Workflow Ignores

1. environment: copilot on the copilot-setup-steps job (for OIDC subject generation)
2. Repository-level OIDC Subject claim template customization (Settings > Actions > OIDC)
3. The documented behavior where context resolves to the environment name per [GitHub's OIDC reference](https://docs.github.com/en/actions/reference/security/oidc)

Why There Is No Azure-Side Workaround

• Azure federated identity credentials on managed identities require exact subject matching
• Wildcards are not supported in the subject field ([Microsoft docs](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-considerations))
• Azure's "Flexible federated identity credentials" (preview) which support wildcard matching via claimsMatchingExpression are only available on App Registrations, not managed identities ([Microsoft docs](https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-flexible-federated-identity-credentials))
• The environment:copilot pattern IS the recommended solution for dynamic branch names, because it is branch-agnostic. That is specifically why Microsoft's tooling generates it.

Impact

• Azure OIDC login is completely broken for all Copilot cloud agent sessions
• The agent cannot access Azure resources (Application Insights, Key Vault, Cosmos DB, etc.) via the Azure MCP Server
• The only workaround is continue-on-error: true on the Azure login step, which means the agent runs without Azure access
• This defeats the purpose of the Azure MCP Server integration with Copilot

Expected Behavior

The OIDC token's sub claim should be repo:<org>/<repo>:environment:copilot when the copilot-setup-steps job specifies environment: copilot, regardless of which copilot/* branch the dynamic workflow runs on. This was the correct behavior prior to early May 2026.

Is Anyone Else Hitting This?

If you are using Copilot cloud agent with Azure OIDC login (via azure/login with federated credentials on a managed identity), and your login started failing around early May 2026, you are likely hitting the same issue. Check your Action logs for whether the subject claim shows environment:copilot or ref:refs/heads/copilot/....

I have also filed a support ticket with GitHub for this issue.