After migration to  Microsoft Entra Workload ID,  verify that the  Microsoft Entra Workload ID cluster is usable.

    4.16

    1.Prepare an Azure OpenShift cluster.
    2.Migration to Azure AD workload Identity using procedure https://github.com/openshift/cloud-credential-operator/blob/master/docs/azure_workload_identity.md#steps-to-in-place-migrate-an-openshift-cluster-to-azure-ad-workload-identity.
    

3.Suggest adding verification steps.
a) After migration to  Microsoft Entra Workload ID,  verify that the OpenShift cluster does not have root credentials.

$ oc get secrets -n kube-system azure-credentials
Error from server (NotFound): secrets "azure-credentials" not found

b) Verify that components are assuming the azure_client_id specified in the secret manifests, instead of credentials passed through by the Cloud Credential Operator.  The secret displayed should not contain an azure_client_secret key and will instead contain an azure_federated_token_file key.

$ oc get secrets -n openshift-image-registry installer-cloud-credentials -o jsonpath='{.data}' | jq
{
  "azure_client_id": "YTcwMTE5YzQtMDNiMS00Mj",
  "azure_federated_token_file": "L3Zhci9ydW4vc2VjcmV0",
  "azure_region": "ZdHVz",
  "azure_subscription_id": "NTNiOGY1NTEtZjBmY",
  "azure_tenant_id": "NjA0N2M3ZTkMzZjZiZTZhN2Vl"
}
 
$ oc get secrets -n openshift-image-registry installer-cloud-credentials -o jsonpath='{.data.azure_client_secret}'

c) Verify that pod identity webhook are created and in running status.
$ oc get po -n openshift-cloud-credential-operator
NAME                                         READY   STATUS    RESTARTS   AGE
cloud-credential-operator-7d5785958f-gbs75   2/2     Running   0          175m
pod-identity-webhook-7c774cb54b-gbq2l        1/1     Running   0          175m
pod-identity-webhook-7c774cb54b-m2x2f        1/1     Running   0          175m