I'm considering an initiative to get rid of secrets in all of our Azure resources using MSI, primarily. I'd set up MSI everywhere we're using text credentials and client secrets, and let MSI do the heavy lifting.
Is there a resource for which MSI cannot be used for authentication, and some client secret has to be maintained?
For bonus points: is there some Azure resource that MSI won't work for to get rid of the secret, but there's another approach that will work?
NO MORE SECRETS
As discussed in comments, below are few MSI limitation-
For example, azure DevOps can integrate with AD for user authentication, but service connections to other resources (like GitHub) might still require PAT
In AKS external integrations like certain Helm repositories may still require text-based secrets.
then let's say if you have to connect to Azure resources to any third-party service that does not support Azure AD or MSI (example legacy systems, external database) then that will require text-based credentials.
You can find a list of Azure services that can use managed identities to access other services in the "Services supporting managed identities" section of the "Azure services that can use managed identities to access other services" document.