diff --git a/README.md b/README.md
index ca982c2..ec6a4fa 100644
--- a/README.md
+++ b/README.md
@@ -269,10 +269,10 @@ Once you are finished with the reference architecture, you can remove all provis
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes |
 | location | Azure region to deploy into | `string` | n/a | yes |
 | subscription\_id | Azure Subscription (ID) to use | `string` | n/a | yes |
 | github\_org\_id | GitHub org id (required for Backstage) | `string` | `null` | no |
-| humanitec\_org\_id | Humanitec Organization ID (required for Backstage) | `string` | `null` | no |
 | vm\_size | The Azure VM instances type to use as "Agents" (aka Kubernetes Nodes) in AKS | `string` | `"Standard_D2_v2"` | no |
 | with\_backstage | Deploy Backstage | `bool` | `false` | no |
 
diff --git a/main.tf b/main.tf
index 8fecc36..3162ca7 100644
--- a/main.tf
+++ b/main.tf
@@ -3,9 +3,10 @@
 module "base" {
   source = "./modules/base"
 
-  subscription_id = var.subscription_id
-  location        = var.location
-  vm_size         = var.vm_size
+  subscription_id  = var.subscription_id
+  location         = var.location
+  vm_size          = var.vm_size
+  humanitec_org_id = var.humanitec_org_id
 }
 
 # User used for scaffolding and deploying apps
diff --git a/modules/base/README.md b/modules/base/README.md
index 8e57735..490efdd 100644
--- a/modules/base/README.md
+++ b/modules/base/README.md
@@ -38,10 +38,10 @@ Module that provides the reference architecture.
 | Name | Type |
 |------|------|
 | [azuread_application.main](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
+| [azuread_application_federated_identity_credential.credential](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource |
 | [azuread_group.cluster_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
 | [azuread_group_member.cluster_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member) | resource |
 | [azuread_service_principal.humanitec](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
-| [azuread_service_principal_password.humanitec](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password) | resource |
 | [azurerm_container_registry.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry) | resource |
 | [azurerm_public_ip.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
 | [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
@@ -63,6 +63,7 @@ Module that provides the reference architecture.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes |
 | location | Azure region to deploy into | `string` | n/a | yes |
 | subscription\_id | Azure Subscription (ID) to use | `string` | n/a | yes |
 | cluster\_name | Name for the AKS cluster | `string` | `"ref-arch"` | no |
diff --git a/modules/base/humanitec.tf b/modules/base/humanitec.tf
index ed4dd66..ed6694b 100644
--- a/modules/base/humanitec.tf
+++ b/modules/base/humanitec.tf
@@ -6,10 +6,8 @@ resource "humanitec_resource_account" "cluster_account" {
   type = "azure"
 
   credentials = jsonencode({
-    "appId" : azuread_service_principal.humanitec.client_id,
-    "displayName" : azuread_application.main.display_name,
-    "password" : azuread_service_principal_password.humanitec.value,
-    "tenant" : azuread_service_principal.humanitec.application_tenant_id
+    "azure_identity_tenant_id" : azuread_service_principal.humanitec.application_tenant_id
+    "azure_identity_client_id" : azuread_service_principal.humanitec.client_id
   })
 }
 
diff --git a/modules/base/main.tf b/modules/base/main.tf
index 3105869..f516395 100644
--- a/modules/base/main.tf
+++ b/modules/base/main.tf
@@ -72,8 +72,13 @@ resource "azuread_service_principal" "humanitec" {
   owners    = [data.azuread_client_config.current.object_id]
 }
 
-resource "azuread_service_principal_password" "humanitec" {
-  service_principal_id = azuread_service_principal.humanitec.id
+resource "azuread_application_federated_identity_credential" "credential" {
+  application_id = azuread_application.main.id
+  display_name   = "AccessFromHumanitec"
+  description    = "Access From Humanitec"
+  audiences      = ["api://AzureADTokenExchange"]
+  issuer         = "https://idtoken.humanitec.io"
+  subject        = "${var.humanitec_org_id}/${humanitec_resource_account.cluster_account.id}"
 }
 
 # Required to fetch AKS credentials
diff --git a/modules/base/terraform.tfvars.example b/modules/base/terraform.tfvars.example
index 7618d8f..0eec6d2 100644
--- a/modules/base/terraform.tfvars.example
+++ b/modules/base/terraform.tfvars.example
@@ -8,6 +8,9 @@ container_registry_name_prefix = "humrefarch"
 # Name of the environment to be deployed into
 environment = "development"
 
+# Humanitec Organization ID
+humanitec_org_id = ""
+
 # Number of allowed unavaiable replicas for the ingress-nginx controller
 ingress_nginx_min_unavailable = 1
 
diff --git a/modules/base/variables.tf b/modules/base/variables.tf
index a2e1279..bd4fbd3 100644
--- a/modules/base/variables.tf
+++ b/modules/base/variables.tf
@@ -49,3 +49,8 @@ variable "subscription_id" {
   description = "Azure Subscription (ID) to use"
   type        = string
 }
+
+variable "humanitec_org_id" {
+  description = "Humanitec Organization ID"
+  type        = string
+}
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
index 2ebfdbb..72c35c0 100644
--- a/terraform.tfvars.example
+++ b/terraform.tfvars.example
@@ -2,7 +2,7 @@
 # GitHub org id (required for Backstage)
 github_org_id = ""
 
-# Humanitec Organization ID (required for Backstage)
+# Humanitec Organization ID
 humanitec_org_id = ""
 
 # Azure region to deploy into
diff --git a/variables.tf b/variables.tf
index aba8325..b0d6e4a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -27,7 +27,6 @@ variable "github_org_id" {
 }
 
 variable "humanitec_org_id" {
-  description = "Humanitec Organization ID (required for Backstage)"
+  description = "Humanitec Organization ID"
   type        = string
-  default     = null
 }