diff --git a/docs/azure/sdk/authentication/system-assigned-managed-identity.md b/docs/azure/sdk/authentication/system-assigned-managed-identity.md index 6aade0f41920a..6cdf2404004b8 100644 --- a/docs/azure/sdk/authentication/system-assigned-managed-identity.md +++ b/docs/azure/sdk/authentication/system-assigned-managed-identity.md @@ -3,7 +3,7 @@ title: Authenticate Azure-hosted .NET apps to Azure resources using a system-ass description: Learn how to authenticate Azure-hosted .NET apps to other Azure services using a system-assigned managed identity. ms.topic: how-to ms.custom: devx-track-dotnet, engagement-fy23, devx-track-azurecli -ms.date: 02/06/2025 +ms.date: 11/10/2025 --- # Authenticate Azure-hosted .NET apps to Azure resources using a system-assigned managed identity diff --git a/docs/azure/sdk/includes/implement-system-assigned-identity.md b/docs/azure/sdk/includes/implement-system-assigned-identity.md index adcb6341d5ee1..725eb2634295f 100644 --- a/docs/azure/sdk/includes/implement-system-assigned-identity.md +++ b/docs/azure/sdk/includes/implement-system-assigned-identity.md @@ -1,6 +1,6 @@ --- ms.topic: include -ms.date: 02/12/2025 +ms.date: 11/10/2025 --- [!INCLUDE [implement-managed-identity-concepts](implement-managed-identity-concepts.md)] @@ -30,19 +30,10 @@ Azure services are accessed using specialized client classes from the various Az 1. Include the `Azure.Identity` and `Microsoft.Extensions.Azure` namespaces via `using` directives. 1. Register the Azure service client using the corresponding `Add`-prefixed extension method. -1. Pass an appropriate `TokenCredential` instance to the `UseCredential` method: - - Use `DefaultAzureCredential` when your app is running locally. - - Use `ManagedIdentityCredential` when your app is running in Azure. +1. Use an appropriate `TokenCredential` instance for the environment in which your app is running. When your app is running: + - In Azure, pass an instance of `ManagedIdentityCredential` to the `UseCredential` method. `ManagedIdentityCredential` discovers your managed identity configurations to authenticate to other services automatically. + - On your local development machine, an instance of `DefaultAzureCredential` is created on your behalf. Call `UseCredential` only if you want to [customize `DefaultAzureCredential`](../authentication/credential-chains.md#how-to-customize-defaultazurecredential) or use a different credential. `DefaultAzureCredential` looks in the environment variables for an application service principal or at locally installed developer tools, such as Visual Studio, for a set of developer credentials. :::code language="csharp" source="../snippets/authentication/system-assigned-managed-identity/Program.cs" id="snippet_MIC_UseCredential"::: -An alternative to the `UseCredential` method is to provide the credential to the service client directly: - -:::code language="csharp" source="../snippets/authentication/system-assigned-managed-identity/Program.cs" id="snippet_MIC"::: - --- - -The preceding code behaves differently depending on the environment where it's running: - -- On your local development workstation, `DefaultAzureCredential` looks in the environment variables for an application service principal or at locally installed developer tools, such as Visual Studio, for a set of developer credentials. -- When deployed to Azure, `ManagedIdentityCredential` discovers your managed identity configurations to authenticate to other services automatically. diff --git a/docs/azure/sdk/includes/implement-user-assigned-identity.md b/docs/azure/sdk/includes/implement-user-assigned-identity.md index b7567a661ad4f..639409a1500b5 100644 --- a/docs/azure/sdk/includes/implement-user-assigned-identity.md +++ b/docs/azure/sdk/includes/implement-user-assigned-identity.md @@ -1,6 +1,6 @@ --- ms.topic: include -ms.date: 02/12/2025 +ms.date: 11/10/2025 --- [!INCLUDE [implement-managed-identity-concepts](implement-managed-identity-concepts.md)] @@ -30,9 +30,9 @@ Azure services are accessed using specialized client classes from the various Az 1. Include the `Azure.Identity` and `Microsoft.Extensions.Azure` namespaces via `using` directives. 1. Register the Azure service client using the corresponding `Add`-prefixed extension method. -1. Pass an appropriate `TokenCredential` instance to the `UseCredential` method: - - Use `DefaultAzureCredential` when your app is running locally - - Use `ManagedIdentityCredential` when your app is running in Azure and configure either the client ID, resource ID, or object ID. +1. Use an appropriate `TokenCredential` instance for the environment in which your app is running. When your app is running: + - In Azure, pass an instance of `ManagedIdentityCredential` to the `UseCredential` method and configure either the client ID, resource ID, or object ID. `ManagedIdentityCredential` discovers your managed identity configurations to authenticate to other services automatically. + - On your local development machine, an instance of `DefaultAzureCredential` is created on your behalf. Call `UseCredential` only if you want to [customize `DefaultAzureCredential`](../authentication/credential-chains.md#how-to-customize-defaultazurecredential) or use a different credential. `DefaultAzureCredential` looks in the environment variables for an application service principal or at locally installed developer tools, such as Visual Studio, for a set of developer credentials. ## [Client ID](#tab/client-id) @@ -51,10 +51,6 @@ The client ID is used to identify a managed identity when configuring applicatio :::code language="csharp" source="../snippets/authentication/user-assigned-managed-identity/Program.cs" id="snippet_MIC_ClientId_UseCredential"::: - An alternative to the `UseCredential` method is to provide the credential to the service client directly: - - :::code language="csharp" source="../snippets/authentication/user-assigned-managed-identity/Program.cs" id="snippet_MIC_ClientId"::: - ## [Resource ID](#tab/resource-id) The resource ID uniquely identifies the managed identity resource within your Azure subscription using the following structure: @@ -76,10 +72,6 @@ Resource IDs can be built by convention, which makes them more convenient when w :::code language="csharp" source="../snippets/authentication/user-assigned-managed-identity/Program.cs" id="snippet_MIC_ResourceId_UseCredential"::: - An alternative to the `UseCredential` method is to provide the credential to the service client directly: - - :::code language="csharp" source="../snippets/authentication/user-assigned-managed-identity/Program.cs" id="snippet_MIC_ResourceId"::: - ## [Object ID](#tab/object-id) A principal ID is another name for an object ID. @@ -97,13 +89,4 @@ A principal ID is another name for an object ID. :::code language="csharp" source="../snippets/authentication/user-assigned-managed-identity/Program.cs" id="snippet_MIC_ObjectId_UseCredential"::: - An alternative to the `UseCredential` method is to provide the credential to the service client directly: - - :::code language="csharp" source="../snippets/authentication/user-assigned-managed-identity/Program.cs" id="snippet_MIC_ObjectId"::: - --- - -The preceding code behaves differently depending on the environment where it's running: - -- On your local development workstation, `DefaultAzureCredential` looks in the environment variables for an application service principal or at locally installed developer tools, such as Visual Studio, for a set of developer credentials. -- When deployed to Azure, `ManagedIdentityCredential` discovers your managed identity configurations to authenticate to other services automatically. diff --git a/docs/azure/sdk/snippets/authentication/system-assigned-managed-identity/Program.cs b/docs/azure/sdk/snippets/authentication/system-assigned-managed-identity/Program.cs index 7ee24b5450ab2..f6757d8a5c01b 100644 --- a/docs/azure/sdk/snippets/authentication/system-assigned-managed-identity/Program.cs +++ b/docs/azure/sdk/snippets/authentication/system-assigned-managed-identity/Program.cs @@ -1,7 +1,5 @@ using Azure.Identity; using Microsoft.Extensions.Azure; -using Azure.Storage.Blobs; -using Azure.Core; var builder = WebApplication.CreateBuilder(args); @@ -11,42 +9,15 @@ clientBuilder.AddBlobServiceClient( new Uri("https://.blob.core.windows.net")); - TokenCredential credential = null; - - if (builder.Environment.IsProduction()) + if (builder.Environment.IsProduction() || builder.Environment.IsStaging()) { // Managed identity token credential discovered when running in Azure environments - credential = new ManagedIdentityCredential(); - } - else - { - // Running locally on dev machine - DO NOT use in production or outside of local dev - credential = new DefaultAzureCredential(); + ManagedIdentityCredential credential = new(ManagedIdentityId.SystemAssigned); + clientBuilder.UseCredential(credential); } - - clientBuilder.UseCredential(credential); }); #endregion snippet_MIC_UseCredential -#region snippet_MIC -TokenCredential credential = null; - -if (builder.Environment.IsProduction() || builder.Environment.IsStaging()) -{ - // Managed identity token credential discovered when running in Azure environments - credential = new ManagedIdentityCredential(); -} -else -{ - // Running locally on dev machine - DO NOT use in production or outside of local dev - credential = new DefaultAzureCredential(); -} - -builder.Services.AddSingleton(_ => - new BlobServiceClient( - new Uri("https://.blob.core.windows.net"), credential)); -#endregion snippet_MIC - var app = builder.Build(); if (app.Environment.IsDevelopment()) @@ -82,4 +53,4 @@ internal record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary) { public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); -} \ No newline at end of file +} diff --git a/docs/azure/sdk/snippets/authentication/user-assigned-managed-identity/Program.cs b/docs/azure/sdk/snippets/authentication/user-assigned-managed-identity/Program.cs index 3a2211ece4eda..db10a2a61e26b 100644 --- a/docs/azure/sdk/snippets/authentication/user-assigned-managed-identity/Program.cs +++ b/docs/azure/sdk/snippets/authentication/user-assigned-managed-identity/Program.cs @@ -1,6 +1,5 @@ using Azure.Identity; using Microsoft.Extensions.Azure; -using Azure.Storage.Blobs; using Azure.Core; var builder = WebApplication.CreateBuilder(args); @@ -50,43 +49,15 @@ void registerUsingClientId(WebApplicationBuilder builder) clientBuilder.AddBlobServiceClient( new Uri("https://.blob.core.windows.net")); - TokenCredential credential = null; - if (builder.Environment.IsProduction() || builder.Environment.IsStaging()) { // Managed identity token credential discovered when running in Azure environments - credential = new ManagedIdentityCredential( + ManagedIdentityCredential credential = new( ManagedIdentityId.FromUserAssignedClientId("")); + clientBuilder.UseCredential(credential); } - else - { - // Running locally on dev machine - DO NOT use in production or outside of local dev - credential = new DefaultAzureCredential(); - } - - clientBuilder.UseCredential(credential); }); #endregion snippet_MIC_ClientId_UseCredential - - #region snippet_MIC_ClientId - TokenCredential credential = null; - - if (builder.Environment.IsProduction() || builder.Environment.IsStaging()) - { - // Managed identity token credential discovered when running in Azure environments - credential = new ManagedIdentityCredential( - ManagedIdentityId.FromUserAssignedClientId("")); - } - else - { - // Running locally on dev machine - DO NOT use in production or outside of local dev - credential = new DefaultAzureCredential(); - } - - builder.Services.AddSingleton(_ => - new BlobServiceClient( - new Uri("https://.blob.core.windows.net"), credential)); - #endregion snippet_MIC_ClientId } void registerUsingObjectId(WebApplicationBuilder builder) @@ -97,43 +68,15 @@ void registerUsingObjectId(WebApplicationBuilder builder) clientBuilder.AddBlobServiceClient( new Uri("https://.blob.core.windows.net")); - TokenCredential credential = null; - if (builder.Environment.IsProduction() || builder.Environment.IsStaging()) { // Managed identity token credential discovered when running in Azure environments - credential = new ManagedIdentityCredential( + ManagedIdentityCredential credential = new( ManagedIdentityId.FromUserAssignedObjectId("")); + clientBuilder.UseCredential(credential); } - else - { - // Running locally on dev machine - DO NOT use in production or outside of local dev - credential = new DefaultAzureCredential(); - } - - clientBuilder.UseCredential(credential); }); #endregion snippet_MIC_ObjectId_UseCredential - - #region snippet_MIC_ObjectId - TokenCredential credential = null; - - if (builder.Environment.IsProduction() || builder.Environment.IsStaging()) - { - // Managed identity token credential discovered when running in Azure environments - credential = new ManagedIdentityCredential( - ManagedIdentityId.FromUserAssignedObjectId("")); - } - else - { - // Running locally on dev machine - DO NOT use in production or outside of local dev - credential = new DefaultAzureCredential(); - } - - builder.Services.AddSingleton(_ => - new BlobServiceClient( - new Uri("https://.blob.core.windows.net"), credential)); - #endregion snippet_MIC_ObjectId } @@ -145,46 +88,18 @@ void registerUsingResourceId(WebApplicationBuilder builder) clientBuilder.AddBlobServiceClient( new Uri("https://.blob.core.windows.net")); - TokenCredential credential = null; - if (builder.Environment.IsProduction() || builder.Environment.IsStaging()) { // Managed identity token credential discovered when running in Azure environments - credential = new ManagedIdentityCredential( + ManagedIdentityCredential credential = new( ManagedIdentityId.FromUserAssignedResourceId(new ResourceIdentifier(""))); + clientBuilder.UseCredential(credential); } - else - { - // Running locally on dev machine - DO NOT use in production or outside of local dev - credential = new DefaultAzureCredential(); - } - - clientBuilder.UseCredential(credential); }); #endregion snippet_MIC_ResourceId_UseCredential - - #region snippet_MIC_ResourceId - TokenCredential credential = null; - - if (builder.Environment.IsProduction() || builder.Environment.IsStaging()) - { - // Managed identity token credential discovered when running in Azure environments - credential = new ManagedIdentityCredential( - ManagedIdentityId.FromUserAssignedResourceId(new ResourceIdentifier(""))); - } - else - { - // Running locally on dev machine - DO NOT use in production or outside of local dev - credential = new DefaultAzureCredential(); - } - - builder.Services.AddSingleton(_ => - new BlobServiceClient( - new Uri("https://.blob.core.windows.net"), credential)); - #endregion snippet_MIC_ResourceId } internal record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary) { public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); -} \ No newline at end of file +}