- Fixed
AZURE_REGIONAL_AUTHORITY_NAME
support inClientCertificateCredential
#29112 - Fixed regression in
SharedTokenCacheCredential
default behavior #28029 - Fixed legacy PowerShell discovery failures #28030 (A community contribution, courtesy of nerddtvg)
- Documentation improvements to
TokenCacheRefreshArgs
andEnvironmentCredential
(Community contributions, courtesy of pmaytak and goenning)
Thank you to our developer community members who helped to make Azure Identity better with their contributions to this release:
- Added a new property under the
Diagnostics
options available onTokenCredentialOptions
and all sub-types. If set totrue
, we try to log the account identifiers by parsing the received access token. The account identifiers we try to log are the:- Application or Client Identifier
- User Principal Name
- Tenant Identifier
- Object Identifier of the authenticated user or app
ManagedIdentityCredential
now attempts to use the newest "2019-08-01" api version for App Service Managed Identity sources. The newer API version will be used if theIDENTITY_ENDPOINT
andIDENTITY_HEADER
environment variables are set.
- Fixed an issue where the x5c header is not sent for
OnBehalfOfCredential
when theSendCertificateChain
option is set. #27679
EnvironmentCredential
now supports certificate subject name / issuer based authentication withAZURE_CLIENT_SEND_CERTIFICATE_CHAIN
environment variable (A community contribution, courtesy of trevorlacey-msft).ManagedIdentityCredential
now supports accepting aResourceIdentifier
argument to specify a User Assigned Managed Identity by resource Id rather than client Id.DefaultAzureCredential
also supports this via theManagedIdentityResourceId
property ofDefaultAzureCredentialOptions
.- Added
ClientAssertionCredential
for authenticating service principals with a presigned client assertion.
- Fixed
AuthenticationFailedException
fromAzurePowerSheellCredential
when not logged in on non-windows platforms #23498 - Fixed
ManagedIdentityCredential
response parsing to handle non-json responses #24158
- Upgraded MSAL dependency to version 4.39.0
Thank you to our developer community members who helped to make Azure Identity better with their contributions to this release:
- Trevor Lacey (GitHub)
- The
AllowMultiTenantAuthentication
option has been removed and the default behavior is now as if it were true. The multi-tenant discovery feature can be totally disabled by either setting anAppContext
switch named "Azure.Identity.DisableTenantDiscovery" totrue
or by setting the environment variable "AZURE_IDENTITY_DISABLE_MULTITENANTAUTH" to "true". - Removed the
IsPIILoggingEnabled
property fromTokenCredentialOptions
, similar functionality is planned to be added toTokenCredentialOptions.Diagnostics
in a later release. - Removed
RegionalAuthority
fromClientCertificateCredentialOptions
andClientSecretCredentialOptions
, along with theRegionalAuthority
type. This feature will stay in preview, and these APIs will be added back in1.6.0-beta.1
. - Renamed struct
TokenCacheDetails
toTokenCacheData
. - Renamed class
TokenCacheNotificationDetails
toTokenCacheRefreshArgs
. - Updated
CacheBytes
property onTokenCacheData
to be readonly and a required constructor parameter.
- Fixed issue with
AuthorizationCodeCredential
not specifying correct redirectUrl (Issue #24183)
- Updated error messages to include links to the Azure.Identity troubleshooting guide.
DefaultAzureCredentialOptions
now has aInteractiveBrowserClientId
property which allows passing a ClientId value to theInteractiveBrowserCredential
when constructing aDefaultAzureCredential
.- Implement
OnBehalfOfCredential
which enables authentication to Azure Active Directory using an On-Behalf-Of flow. - Added support to
ManagedIdentityCredential
for Azure hosts using federated token exchange for managed identity.
- Refactored IMDS discovery to remove socket probing and caching of failures to improve
ManagedIdentityCredential
resiliency. #23028 - Updated
UsernamePasswordCredential
to use cached tokens when available #23324
- Updated credentials using
MsalConfidentialClient
to include MSAL log output in logs - Added additional logging to
AzureCliCredential
,AzurePowerShellCredential
,VisualStudioCrednetial
, andVisualStudioCodeCredential
whenIsPIILoggingEnabled
is set to true.
Thank you to our developer community members who helped to make Azure Identity better with their contributions to this release:
- Tomas Pajurek (tpajurek-dtml)
- A new trace event is now logged when
DefaultAzureCredential
selects a credential during initialization. - Added
AzureApplicationCredential
- Added
IsPIILoggingEnabled
property toTokenCredentialOptions
, which controls whether MSAL PII logging is enabled, and other sensitive credential related logging content.
- Renamed
AZURE_POD_IDENTITY_TOKEN_URL
toAZURE_POD_IDENTITY_AUTHORITY_HOST
. The value should now be a host, for example "http://169.254.169.254" (the default).
- Stopped loading
$PROFILE
and checking for updates when usingAzurePowerShellCredential
. - Fixed unrecognized argument issue in
AzureCliCredential
when specifying theTenantId
option. #23158 (A community contribution, courtesy of tomas-pajurek). - Handled an additional error scenario for AzureCliCredential that prompts developers to run
az login
when needed. #21758 - Fixed an issue in
EnvironmentCredential
where the suppliedoptions
were not getting properly applied. #22787 - Fixed DateTime parsing to use the current culture in AzurePowerShellCredential. #22638
- Fixed issue resulting in duplicate event source names when executing in Azure Functions
- Added regional STS support to client credential types
- Added
RegionalAuthority
extensible enum - Added
RegionalAuthority
property toClientSecretCredentialOptions
andClientCertificateCredentialOptions
- Added
- Added support to
ManagedIdentityCredential
for Bridge to Kubernetes local development authentication. - TenantId values returned from service challenge responses can now be used to request tokens from the correct tenantId. To support this feature, there is a new
AllowMultiTenantAuthentication
option onTokenCredentialOptions
.- By default,
AllowMultiTenantAuthentication
is false. When this option property is false and the tenant Id configured in the credential options differs from the tenant Id set in theTokenRequestContext
sent to a credential, anAuthorizationFailedException
will be thrown. This is potentially breaking change as it could be a different exception than what was thrown previously. This exception behavior can be overridden by either setting anAppContext
switch named "Azure.Identity.EnableLegacyTenantSelection" totrue
or by setting the environment variable "AZURE_IDENTITY_ENABLE_LEGACY_TENANT_SELECTION" to "true". Note: AppContext switches can also be configured via configuration like below:
- By default,
- Added
OnBehalfOfFlowCredential
which enables support for AAD On-Behalf-Of (OBO) flow. See the Azure Active Directory documentation to learn more about OBO flow scenarios.
<ItemGroup>
<RuntimeHostConfigurationOption Include="Azure.Identity.EnableLegacyTenantSelection" Value="true" />
</ItemGroup>
- Added
LoginHint
property toInteractiveBrowserCredentialOptions
which allows a user name to be pre-selected for interactive logins. Setting this option skips the account selection prompt and immediately attempts to login with the specified account. - Added
AuthorizationCodeCredentialOptions
which allows for configuration of a ReplyUri.
- By default, the MSAL Public Client Client Capabilities are populated with "CP1" to enable support for Continuous Access Evaluation (CAE).
This indicates to AAD that your application is CAE ready and can handle the CAE claim challenge. This capability can be disabled, if necessary, by either setting an
AppContext
switch named "Azure.Identity.DisableCP1" totrue
or by setting the environment variable; "AZURE_IDENTITY_DISABLE_CP1" to "true". Note: AppContext switches can also be configured via configuration like below:
<ItemGroup>
<RuntimeHostConfigurationOption Include="Azure.Identity.DisableCP1" Value="true" />
</ItemGroup>
- The Microsoft Authentication Library (MSAL) dependency versions have been updated to the latest
- Microsoft.Identity.Client version 4.30.1, Microsoft.Identity.Client.Extensions.Msal version 2.18.4.
Thank you to our developer community members who helped to make Azure Identity better with their contributions to this release:
- Marco Mansi (GitHub)
- Added
AzurePowerShellCredential
toDefaultAzureCredential
(A community contribution, courtesy of olandese)
- When logging is enabled, the log output from Microsoft Authentication Library (MSAL) is also logged.
- Fixed an issue where an account credential fails to load from the cache when EnableGuestTenantAuthentication is true and the account found in the cache has multiple matching tenantIds (#18276).
- Fixed deadlock issue in
InteractiveBrowserCredential
when running in a UI application (#18418).
TokenCache
class is moved removed from the public API surface and has been replaced byTokenCachePersistenceOptions
for configuration of disk based persistence of the token cache.
- Added the
[Serializable]
attribute to all custom exception types.
- Update the default value of
ExcludeSharedTokenCacheCredential
onDefaultAzureCredentialsOptions
to true, to exclude theSharedTokenCacheCredential
from theDefaultAzureCredential
by default. See BREAKING_CHANGES.md
- The
IDisposable
interface has been removed fromTokenCache
.
- All credentials added support to handle the
Claims
property onTokenRequestContext
- Fixed issue in
HttpExtensions
causing the omission of content headers on requests (#17448) - Made
EnvironmentCredential
to account for both null and empty string when checking for the presense of the environment variables (#18031)
- Added support for Service Fabric managed identity authentication to
ManagedIdentityCredential
. - Added support for Azure Arc managed identity authentication to
ManagedIdentityCredential
.
- Fix race condition in
ProcessRunner
causingVisualStudioCredential
andAzureCliCredential
to fail intermittently (#16211) - Fix
VisualStudioCodeCredential
to raiseCredentialUnavailableException
when reading from VS Code's stored secret (#16795) - Prevent
VisualStudioCodeCredential
using invalid authentication data when no user is signed in to Visual Studio Code (#15870) - Fix deadlock in
ProcessRunner
causingAzureCliCredential
andVisualStudioCredential
to fail due to timeout (#14691, 14207) - Fix issue with
AzureCliCredential
incorrectly parsing expires on property returned fromaz account get-access-token
(#15801) - Fix issue causing
DeviceCodeCredential
andInteractiveBrowserCredential
to improperly authenticate to the home tenant for silent authentication calls after initial authentication (#13801) - Fix cache loading issue in
SharedTokenCacheCredential
on Linux (#12939)
- Rename property
IncludeX5CCliamHeader
onClientCertificateCredentialOptions
toSendCertificateChain
- Removing Application Authentication APIs for GA release. These will be reintroduced in 1.4.0-beta.1.
- Removed class
AuthenticationRecord
- Removed class
AuthenticationRequiredException
- Removed class
ClientSecretCredentialOptions
andClientSecretCredential
constructor overloads accepting this type - Removed class
UsernamePasswordCredentialOptions
andUsernamePasswordCredential
constructor overloads accepting this type - Removed properties
EnablePersistentCache
andAllowUnprotectedCache
fromClientCertificateCredentialOptions
,DeviceCodeCredentialOptions
andInteractiveBrowserCredentialOptions
- Removed properties
AuthenticationRecord
andDisableAutomaticAuthentication
fromDeviceCodeCredentialOptions
andInteractiveBrowserCredentialOptions
- Removed properties
AllowUnencryptedCache
andAuthenticationRecord
fromSharedTokenCacheCredentialOptions
- Removed methods
Authenticate
andAuthenticateAsync
fromDeviceCodeCredential
,InteractiveBrowserCredential
andUsernamePasswordCredential
- Removed class
- Redesigned Application Authentication APIs
- Adds
TokenCache
andTokenCache
classes to give more user control over how the tokens are cached and how the cache is persisted. - Adds
TokenCache
property to options for credentials supporting token cache configuration.
- Adds
- Update
DeviceCodeCredential
to output device code information and authentication instructions in the console, in the case nodeviceCodeCallback
is specified.- Added
DeviceCodeCallback
toDeviceCodeCredentialOptions
- Added default constructor to
DeviceCodeCredential
- Added
- Replaced
DeviceCodeCredential
constructor overload takingdeviceCodeCallback
andDeviceCodeCredentialOptions
with constructor taking onlyDeviceCodeCredentialOptions
- Restoring Application Authentication APIs from 1.2.0-preview.6
- Added support for App Service Managed Identity API version
2019-08-01
(#13687) - Added
IncludeX5CClaimHeader
toClientCertificateCredentialOptions
to enable subject name / issuer authentication with theClientCertificateCredential
. - Added
RedirectUri
toInteractiveBrowserCredentialOptions
to enable authentication with user specified application with a custom redirect url. - Added
IdentityModelFactory
to enable constructing models from the Azure.Identity library for mocking. - Unify exception handling between
DefaultAzureCredential
andChainedTokenCredential
(#14408)
- Updated
MsalPublicClient
andMsalConfidentialClient
to respectCancellationToken
during initialization (#13201) - Fixed
VisualStudioCodeCredential
crashes on macOS (Issue #14362) - Fixed issue with non GUID Client Ids (Issue #14585)
- Update
VisualStudioCredential
andVisualStudioCodeCredential
to throwCredentialUnavailableException
for ADFS tenant (Issue #14639)
- Fixed issue with
DefaultAzureCredential
incorrectly catchingAuthenticationFailedException
(Issue #14974) - Fixed issue with
DefaultAzureCredential
throwing exceptions during concurrent calls (Issue #15013)
- Fixed issue with
InteractiveBrowserCredential
not specifying correct redirectUrl (Issue #13940)
- Bug in TaskExtensions.EnsureCompleted method that causes it to unconditionally throw an exception in the environments with synchronization context
- Removing Application Authentication APIs for GA release. These will be reintroduced in 1.3.0-preview.
- Removed class
AuthenticationRecord
- Removed class
AuthenticationRequiredException
- Removed class
ClientCertificateCredentialOptions
andClientCertificateCredential
constructor overloads accepting this type - Removed class
ClientSecretCredentialOptions
andClientSecretCredential
constructor overloads accepting this type - Removed class
DeviceCodeCredentialOptions
andDeviceCodeCredential
constructor overloads accepting this type - Removed class
InteractiveBrowserCredentialOptions
andInteractiveBrowserCredential
constructor overloads accepting this type - Removed class
UsernamePasswordCredentialOptions
andUsernamePasswordCredential
constructor overloads accepting this type - Removed methods
Authenticate
andAuthenticateAsync
fromDeviceCodeCredential
- Removed methods
Authenticate
andAuthenticateAsync
fromInteractiveBrowserCredential
- Removed methods
Authenticate
andAuthenticateAsync
fromUsernamePasswordCredential
- Removed properties
AllowUnencryptedCache
andAuthenticationRecord
fromSharedTokenCacheCredentialOptions
- Removed class
- Fixed excess errors in
DefaultAzureCredential
tracing (Issue #10659) - Fixed concurrency issue in
DefaultAzureCredential
(Issue #13044)
- Added the read only property
ClientId
toAuthenticationRecord
. - Added the property
AllowUnencryptedCache
to the option classesClientCertificateCredentialOptions
,ClientSecretCredentialOptions
,DeviceCodeCredentialOptions
,InteractiveBrowserCredentialOptions
andSharedTokenCacheCredentialOptions
which when set to true allows the credential to fall back to storing tokens in an unencrypted file if no OS level user encryption is available whenEnablePersistentCache
is set to true. - Added the property
AuthenticationRecord
to the option classSharedTokenCacheCredentialOptions
to support silent authentication for accounts previously authenticated with an interactive credential. - Added option class
UsernamePasswordCredentialOptions
which supports the optionsEnablePersistentCache
andAllowUnencryptedCache
.
- Rename type
KnownAuthorityHosts
toAzureAuthorityHosts
- Rename property
AzureChinaCloud
toAzureChina
- Rename property
AzureGermanCloud
toAzureGermany
- Rename property
AzureUSGovernment
toAzureGovernment
- Rename property
AzureCloud
toAzurePublicCloud
- Rename property
- Added options classes
ClientCertificateCredentialOptions
andClientSecretCredentialOptions
which support the following new optionEnablePersistentCache
configures these credentials to use a persistent cache shared between credentials which set this option. By default the cache is per credential and in memory only.
- Makes
AzureCliCredential
,VisualStudioCredential
andVisualStudioCodeCredential
public to allow direct usage. - Added
Authenticate
methods toUsernamePasswordCredential
- Fix
SharedTokenCacheCredential
account filter to be case-insensitive (Issue #10816) - Update
VisualStudioCodeCredential
to properly throwCredentialUnavailableException
when re-authentication is needed. (Issue #11595)
- First preview of new API for authenticating users with
DeviceCodeCredential
andInteractiveBrowserCredential
- Added method
Authenticate
which pro-actively interacts with the user to authenticate if necessary and returns a serializableAuthenticationRecord
- Added Options classes
DeviceCodeCredentialOptions
andInteractiveBrowserCredentialOptions
which support the following new optionsAuthenticationRecord
enables initializing a credential with anAuthenticationRecord
returned from a prior call toAuthenticate
DisableAutomaticAuthentication
disables automatic user interaction causing the credential to throw anAuthenticationRequiredException
when interactive authentication is necessary.EnablePersistentCache
configures these credentials to use a persistent cache shared between credentials which set this option. By default the cache is per credential and in memory only.
- Added method
- Updates
DefaultAzureCredential
to enable authenticating through Visual Studio - Updates
DefaultAzureCredential
to enable authentication through Visual Studio Code
- Updating
DefaultAzureCredential
to enable authenticating through the Azure CLI ClientCertificateCredential
now supports being constructed with a path to an unencrypted certificate (in either PFX or PEM format)EnvironmentCredential
now supports reading a certificate path fromAZURE_CLIENT_CERTIFICATE_PATH
- Fix an issue where
EnvironmentCredential
did not behave correctly whenAZURE_USERNAME
andAZURE_PASSWORD
where set - Added
KnownAuthorityHosts
class to aid in sovereign cloud configuration.
- Fixed
UsernamePasswordCredential
constructor parameter mishandling - Updated
ManagedIdentityCredential
endpoint discovery to avoid throwing - Fixed
ManagedIdentityCredential
to raiseCredentialUnavailableException
on 400 return from the service where no identity has been assigned - Updated error messaging from
DefaultAzureCredential
to more easily root cause failures
- Update
SharedTokenCacheCredential
to filter accounts by tenant id- Added
SharedTokenCacheCredentialOptions
class with propertiesTenantId
andUsername
- Added constructor overload to
SharedTokenCacheCredential
which acceptsSharedTokenCacheCredentialOptions
- Added property
SharedTokenCacheTenantId
toDefaultAzureCredentialOptions
- Added
- Support for personal account authentication in
DefaultAzureCredential
,InteractiveBrowserCredential
, andSharedTokenCacheCredential
- Added
InteractiveBrowserTenantId
toDefaultAzureCredentialOptions
- Fixed issue with
ManagedIdentityCredential
authentication with user assigned identities
- First stable release of Azure.Identity package.
- Rename
AzureCredentialOptions
->TokenCredentialOptions
- Renamed property
VerificationUrl
->VerificationUri
and changed type fromstring
toUri
- Renamed property
- Updated
ClientSecretCredential
class- Removed property
ClientId
- Removed property
ClientSecret
- Removed property
TenantId
- Removed property
- Updated
ClientCertificateCredential
class- Removed property
ClientId
- Removed property
ClientCertificate
- Removed property
TenantId
- Removed property
- Updated
DefaultAzureCredential
class to derive directly fromTokenCredential
rather thanChainedTokenCredential
- Updated
DefaultAzureCredentialOptions
class- Renamed property
PreferredAccountUsername
->SharedTokenCacheUsername
- Renamed property
IncludeEnvironmentCredential
->ExcludeEnvironmentCredential
- Renamed property
IncludeManagedIdentityCredential
->ExcludeManagedIdentityCredential
- Renamed property
IncludeSharedTokenCacheCredential
->ExcludeSharedTokenCacheCredential
- Renamed property
IncludeInteractiveBrowserCredential
->ExcludeInteractiveBrowserCredential
- Renamed property
- Updated
DeviceCodeInfo
class- Removed property
Interval
- Renamed property
VerificationUrl
->VerificationUri
and changed type fromstring
toUri
- Removed property
- Updated
InteractiveBrowserCredential
class- Reordered constructor parameters
tenantId
andclientId
to be consistent with other credential types
- Reordered constructor parameters
- Updated
SharedTokenCacheCredential
class- Updated constructor to take
TokenCredentialOptions
- Removed
clientId
constructor parameter
- Updated constructor to take
- Removed class
SharedTokenCacheCredentialOptions
- Updated exception model across the Azure.Identity library.
TokenCredential
implementations in the Azure.Identity library now throw exceptions rather than returningdefault
(AccessToken
) when no token is obtained- Added the
CredentialUnavailableExcpetion
exception type to distinguish cases when failure to obtain anAccessToken
was expected
- Adopted Azure.Core 1.0.0
- Update
ManagedIdentityCredential
IMDS availability check to handle immediate network failures - Added a
DefaultAzureCredential
constructor overload to enable interactive credential types by default
- Adopted Azure.Core 1.0.0-preview.9
- Added
DefaultAzureCredentialOptions
for configuring theDefaultAzureCredential
authentication flow - Added
InteractiveBrowserCredential
to theDefaultAzureCredential
authentication flow, but excluded by default
- Updated
InteractiveBrowserCredential
andDeviceCodeCredential
to optionally accept a tenantId to support non-multitenant applications
- Modified GetToken abstraction to accept
TokenRequest
structure rather thanstring[]
for forwards compatibility
- Adopted Azure.Core 1.0.0-preview.8
- Added
SharedTokenCacheCredential
to support Single Sign On with developer tooling - Updated
DefaultAzureCredential
authentication flow to include theSharedTokenCacheCredential
- Adopted Azure.Core 1.0.0-preview.7
- Adopted Microsoft.Identity.Client 4.1.0
- User Principal Authentication
- Added
DeviceCodeCredential
class - Added
InteractiveBrowserCredential
class - Added
UsernamePasswordCredential
class
- Added
- Support for Azure SDK ASP .NET Core integration
- Added identity client distributed tracing support
- Fix to ManagedIdentityCredential to properly parse expires_on from response
Version 1.0.0-preview.1 is the first preview of our efforts to create a user-friendly authentication API for Azure SDK client libraries. For more information about preview releases of other Azure SDK libraries, please visit https://aka.ms/azure-sdk-preview1-net.
- Azure Service Authentication
- Added
DefaultAzureCredential
class - Added
ChainedTokenCredential
class
- Added
- Service Principal Authentication
- Added
ClientSecretCredential
class - Added
ClientCertificateCredential
class
- Added
- Managed Identity Authentication
- Added
ManagedIdentityCredential
class
- Added
See the documentation for more details. User authentication will be added in an upcoming preview release.