The Azure Identity library provides Azure Active Directory (Azure AD) token authentication support across the Azure SDK. It provides a set of TokenCredential implementations that can be used to construct Azure SDK clients that support Azure AD token authentication.
Source code | API reference documentation | Azure AD documentation
Include the azure-sdk-bom
in your project to take a dependency on the stable version of the library. In the following snippet, replace the {bom_version_to_target}
placeholder with the version number. To learn more about the BOM, see the Azure SDK BOM README.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-sdk-bom</artifactId>
<version>{bom_version_to_target}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Then include the direct dependency in the dependencies
section without the version tag:
<dependencies>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
</dependency>
</dependencies>
To take dependency on a particular version of the library that isn't present in the BOM, add the direct dependency to your project as follows:
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.9.2</version>
</dependency>
- A Java Development Kit (JDK), version 8 or later.
- An Azure subscription.
- The Azure CLI can also be useful for authenticating in a development environment, creating accounts, and managing account roles.
When debugging and executing code locally, it's typical for a developer to use their own account for authenticating calls to Azure services. There are several developer tools that can be used to perform this authentication in your development environment:
- Azure Toolkit for IntelliJ
- Visual Studio Code Azure Account Extension
- It's a known issue that
VisualStudioCodeCredential
doesn't work with Azure Account extension versions newer than 0.9.11. A long-term fix to this problem is in progress. In the meantime, consider authenticating via the Azure CLI (below).
- It's a known issue that
- Azure CLI
Select each item above to learn about how to configure them for Azure Identity authentication.
A credential is a class that contains or can obtain the data needed for a service client to authenticate requests. Service clients across the Azure SDK accept credentials when they're constructed. The service clients use those credentials to authenticate requests to the service.
The Azure Identity library focuses on OAuth authentication with Azure AD, and it offers various credential classes capable of acquiring an Azure AD token to authenticate service requests. All of the credential classes in this library are implementations of the TokenCredential
abstract class in azure-core, and any of them can be used by to construct service clients capable of authenticating with a TokenCredential
.
See Credential classes for a complete list of available credential classes.
The DefaultAzureCredential
is appropriate for most scenarios where the application is intended to ultimately be run in Azure. This is because the DefaultAzureCredential
combines credentials commonly used to authenticate when deployed, with credentials used to authenticate in a development environment.
Note:
DefaultAzureCredential
is intended to simplify getting started with the SDK by handling common scenarios with reasonable default behaviors. Developers who want more control or whose scenario isn't served by the default settings should use other credential types.
The DefaultAzureCredential
will attempt to authenticate via the following mechanisms in order.
- Environment - The
DefaultAzureCredential
will read account information specified via environment variables and use it to authenticate. - Workload Identity - If the app is deployed on Kubernetes with environment variables set by the workload identity webhook,
DefaultAzureCredential
will authenticate the configured identity. - Managed Identity - If the application is deployed to an Azure host with Managed Identity enabled, the
DefaultAzureCredential
will authenticate with that account. - Azure Developer CLI - If the developer has authenticated an account via the Azure Developer CLI
azd auth login
command, theDefaultAzureCredential
will authenticate with that account. - IntelliJ - If the developer has authenticated via Azure Toolkit for IntelliJ, the
DefaultAzureCredential
will authenticate with that account. - Azure CLI - If the developer has authenticated an account via the Azure CLI
az login
command, theDefaultAzureCredential
will authenticate with that account. - Azure PowerShell - If the developer has authenticated an account via the Azure PowerShell
Connect-AzAccount
command, theDefaultAzureCredential
will authenticate with that account.
Due to a known issue, VisualStudioCodeCredential
has been removed from the DefaultAzureCredential
token chain. When the issue is resolved in a future release, this change will be reverted.
You can find more examples of using various credentials in Azure Identity Examples Wiki page.
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the DefaultAzureCredential
.
/**
* The default credential first checks environment variables for configuration.
* If environment configuration is incomplete, it will try managed identity.
*/
public void createDefaultAzureCredential() {
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
}
See more how to configure the DefaultAzureCredential
on your workstation or Azure in Configure DefaultAzureCredential.
To authenticate using user-assigned managed identity, ensure that configuration instructions for your supported Azure resource here have been successfully completed.
The below example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the DefaultAzureCredential
, deployed to an Azure resource with a user-assigned managed identity configured.
See more about how to configure a user-assigned managed identity for an Azure resource in Enable managed identity for Azure resources.
/**
* The default credential will use the user assigned managed identity with the specified client ID.
*/
public void createDefaultAzureCredentialForUserAssignedManagedIdentity() {
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("<MANAGED_IDENTITY_CLIENT_ID>")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
}
In addition to configuring the managedIdentityClientId
via code, it can also be set using the AZURE_CLIENT_ID
environment variable. These two approaches are equivalent when using the DefaultAzureCredential
.
To authenticate using IntelliJ, ensure that configuration instructions here have been successfully completed.
The below example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the DefaultAzureCredential
, on a workstation with IntelliJ IDEA installed, and the user has signed in with an Azure account to the Azure Toolkit for IntelliJ.
See more about how to configure your IntelliJ IDEA in Sign in Azure Toolkit for IntelliJ for IntelliJCredential.
/**
* The default credential will use the KeePass database path to find the user account in IntelliJ on Windows.
*/
public void createDefaultAzureCredentialForIntelliJ() {
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
// KeePass configuration required only for Windows. No configuration needed for Linux / Mac
.intelliJKeePassDatabasePath("C:\\Users\\user\\AppData\\Roaming\\JetBrains\\IdeaIC2020.1\\c.kdbx")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
}
The Managed identity authentication is supported via either the DefaultAzureCredential
or the ManagedIdentityCredential
directly for the following Azure Services:
- Azure App Service and Azure Functions
- Azure Arc
- Azure Cloud Shell
- Azure Kubernetes Service
- Azure Service Fabric
- Azure Virtual Machines
- Azure Virtual Machines Scale Sets
Note: Use azure-identity
version 1.7.0
or later to utilize token caching support for managed identity authentication.
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the ManagedIdentityCredential
in a virtual machine, app service, function app, cloud shell, or AKS environment on Azure, with system-assigned or user-assigned managed identity enabled.
See more about how to configure your Azure resource for managed identity in Enable managed identity for Azure resources
/**
* Authenticate with a User Assigned Managed identity.
*/
public void createManagedIdentityCredential() {
ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder()
.clientId("<USER ASSIGNED MANAGED IDENTITY CLIENT ID>") // only required for user assigned
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(managedIdentityCredential)
.buildClient();
}
/**
* Authenticate with a System Assigned Managed identity.
*/
public void createManagedIdentityCredential() {
ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder()
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(managedIdentityCredential)
.buildClient();
}
While the DefaultAzureCredential
is generally the quickest way to get started developing applications for Azure, more advanced users may want to customize the credentials considered when authenticating. The ChainedTokenCredential
enables users to combine multiple credential instances to define a customized chain of credentials. This example demonstrates creating a ChainedTokenCredential
, which will:
- Attempt to authenticate using managed identity.
- Fall back to authenticating via the Azure CLI if managed identity is unavailable in the current environment.
// Authenticate using managed identity if it is available; otherwise use the Azure CLI to authenticate.
ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder().build();
AzureCliCredential cliCredential = new AzureCliCredentialBuilder().build();
ChainedTokenCredential credential = new ChainedTokenCredentialBuilder().addLast(managedIdentityCredential).addLast(cliCredential).build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(credential)
.buildClient();
Credentials default to authenticating to the Azure AD endpoint for Azure Public Cloud. To access resources in other clouds, such as Azure Government or a private cloud, configure credentials with the auhtorityHost
argument. AzureAuthorityHosts defines authorities for well-known clouds:
DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder()
.authorityHost(AzureAuthorityHosts.AZURE_GOVERNMENT)
.build();
Not all credentials require this configuration. Credentials that authenticate through a development tool, such as AzureCliCredential
, use that tool's configuration. Similarly, VisualStudioCodeCredential
accepts an authority
argument but defaults to the authority matching VS Code's "Azure: Cloud" setting.
Credential class | Usage | Example |
---|---|---|
DefaultAzureCredential |
provides a simplified authentication experience to quickly start developing applications run in Azure | example |
ChainedTokenCredential |
allows users to define custom authentication flows composing multiple credentials | example |
EnvironmentCredential |
authenticates a service principal or user via credential information specified in environment variables | |
ManagedIdentityCredential |
authenticates the managed identity of an Azure resource | example |
WorkloadIdentityCredential |
supports Azure AD workload identity on Kubernetes | example |
Credential class | Usage | Example | Reference |
---|---|---|---|
ClientAssertionCredential |
authenticates a service principal using a signed client assertion | ||
ClientCertificateCredential |
authenticates a service principal using a certificate | example | Service principal authentication |
ClientSecretCredential |
authenticates a service principal using a secret | example | Service principal authentication |
Credential class | Usage | Example | Reference |
---|---|---|---|
AuthorizationCodeCredential |
authenticate a user with a previously obtained authorization code as part of an Oauth 2 flow | OAuth2 authentication code | |
DeviceCodeCredential |
interactively authenticates a user on devices with limited UI | example | Device code authentication |
InteractiveBrowserCredential |
interactively authenticates a user with the default system browser | example | OAuth2 authentication code |
OnBehalfOfCredential |
propagates the delegated user identity and permissions through the request chain | On-behalf-of authentication | |
UsernamePasswordCredential |
authenticates a user with a username and password without multi-factored auth | example | Username + password authentication |
Credential class | Usage | Example | Reference |
---|---|---|---|
AzureCliCredential |
Authenticate in a development environment with the enabled user or service principal in Azure CLI | example | Azure CLI authentication |
AzureDeveloperCliCredential |
Authenticate in a development environment with the enabled user or service principal in Azure Developer CLI | Azure Developer CLI Reference | |
AzurePowerShellCredential |
Authenticate in a development environment with the enabled user or service principal in Azure PowerShell | example | Azure PowerShell documentation |
IntelliJCredential |
Authenticate in a development environment with the account in Azure Toolkit for IntelliJ | example | IntelliJ authentication |
VisualStudioCodeCredential |
Authenticate in a development environment with the account in Visual Studio Code Azure Account extension. | example | VS Code Azure Account extension |
Note: All credential implementations in the Azure Identity library are threadsafe, and a single credential instance can be used to create multiple service clients.
Credentials can be chained together to be tried in turn until one succeeds using the ChainedTokenCredential
; see chaining credentials for details.
DefaultAzureCredential
and EnvironmentCredential
can be configured with environment variables. Each type of authentication requires values for specific variables:
Variable name | Value |
---|---|
AZURE_CLIENT_ID |
ID of an Azure AD application |
AZURE_TENANT_ID |
ID of the application's Azure AD tenant |
AZURE_CLIENT_SECRET |
one of the application's client secrets |
Variable name | Value |
---|---|
AZURE_CLIENT_ID |
ID of an Azure AD application |
AZURE_TENANT_ID |
ID of the application's Azure AD tenant |
AZURE_CLIENT_CERTIFICATE_PATH |
path to a PFX or PEM-encoded certificate file including private key |
AZURE_CLIENT_CERTIFICATE_PASSWORD |
(optional) password for certificate. The certificate can't be password-protected unless this value is specified. |
Variable name | Value |
---|---|
AZURE_CLIENT_ID |
ID of an Azure AD application |
AZURE_TENANT_ID |
(optional) ID of the application's Azure AD tenant |
AZURE_USERNAME |
a username (usually an email address) |
AZURE_PASSWORD |
that user's password |
Configuration is attempted in the above order. For example, if values for a client secret and certificate are both present, the client secret will be used.
Token caching is a feature provided by the Azure Identity library that allows apps to:
- Cache tokens in memory (default) or on disk (opt-in).
- Improve resilience and performance.
- Reduce the number of requests made to Azure AD to obtain access tokens.
The Azure Identity library offers both in-memory and persistent disk caching. For more details, see the token caching documentation.
Credentials raise exceptions when they fail to authenticate or can't execute authentication. When credentials fail to authenticate, theClientAuthenticationException
is raised. The exception has a message
attribute, which describes why authentication failed. When this exception is raised by ChainedTokenCredential
, the chained execution of underlying list of credentials is stopped.
When credentials can't execute authentication due to one of the underlying resources required by the credential being unavailable on the machine, theCredentialUnavailableException
is raised. The exception has a message
attribute that describes why the credential is unavailable for authentication execution. When this exception is raised by ChainedTokenCredential
, the message collects error messages from each credential in the chain.
See the troubleshooting guide for details on how to diagnose various failure scenarios.
The Java client libraries listed here support authenticating with TokenCredential
and the Azure Identity library. You can learn more about their use, and find additional documentation on use of these client libraries along samples with can be found in the links mentioned here.
The microsoft-graph-sdk also supports authenticating with TokenCredential
and the Azure Identity library.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.