Credentials for Azure SDK clients.
Interactive authentication is required to acquire a token.
This error is raised only by interactive user credentials configured not to automatically prompt for user interaction as needed. Its properties provide additional information that may be required to authenticate. The control_interactive_prompts sample demonstrates handling this error by calling a credentialâs âauthenticateâ method.
Exception.add_note(note) â add a note to the exception
Raise the exception with the existing traceback.
Deprecated since version 1.22.0: This method is deprecated as we donât support Python 2 anymore. Use raise/from instead.
Exception.with_traceback(tb) â set self.__traceback__ to tb and return self.
Additional claims required in the next authentication.
Additional claims required in the next authentication, or None if no additional claims are required.
str or None
The credential did not attempt to authenticate because required data or state is unavailable.
Exception.add_note(note) â add a note to the exception
Raise the exception with the existing traceback.
Deprecated since version 1.22.0: This method is deprecated as we donât support Python 2 anymore. Use raise/from instead.
Exception.with_traceback(tb) â set self.__traceback__ to tb and return self.
Non-secret account information for an authenticated user
This class enables DeviceCodeCredential and InteractiveBrowserCredential to access previously cached authentication data. Applications shouldnât construct instances of this class. They should instead acquire one from a credentialâs authenticate method, such as InteractiveBrowserCredential.authenticate(). See the user_authentication sample for more details.
tenant_id (str) â The tenant the account should authenticate in.
client_id (str) â The client ID of the application which performed the original authentication.
authority (str) â The authority host used to authenticate the account.
home_account_id (str) â A unique identifier of the account.
username (str) â The user principal or service principal name of the account.
Deserialize a record.
data (str) â A serialized record.
The deserialized record.
Serialize the record.
The serialized record.
The authority host used to authenticate the account.
The authority host used to authenticate the account.
The client ID of the application which performed the original authentication.
The client ID of the application which performed the original authentication.
A unique identifier of the account.
A unique identifier of the account.
The tenant the account should authenticate in.
The tenant the account should authenticate in.
The user principal or service principal name of the account.
The user principal or service principal name of the account.
Authenticates by redeeming an authorization code previously obtained from Microsoft Entra ID.
See Microsoft Entra ID documentation for more information about the authentication flow.
tenant_id (str) â ID of the applicationâs Microsoft Entra tenant. Also called its âdirectoryâ ID.
client_id (str) â The applicationâs client ID
authorization_code (str) â The authorization code from the userâs log-in
redirect_uri (str) â The applicationâs redirect URI. Must match the URI used to request the authorization code.
authority (str) â Authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.
client_secret (str) â One of the applicationâs client secrets. Required only for web apps and web APIs.
additionally_allowed_tenants (List[str]) â Specifies tenants in addition to the specified âtenant_idâ for which the credential may acquire tokens. Add the wildcard value â*â to allow the credential to acquire tokens for any tenant the application can access.
Example:
Create an AuthorizationCodeCredential.ïfrom azure.identity import AuthorizationCodeCredential
credential = AuthorizationCodeCredential(
tenant_id="<tenant_id>",
client_id="<client_id>",
authorization_code="<auth_code>",
redirect_uri="<redirect_uri>",
)
Close the credentialâs transport session.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
The first time this method is called, the credential will redeem its authorization code. On subsequent calls the credential will return a cached access token or redeem a refresh token, if it acquired a refresh token upon redeeming the authorization code.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
An access token with the desired scopes.
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason. Any error response from Microsoft Entra ID is available as the errorâs response attribute.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
The first time this method is called, the credential will redeem its authorization code. On subsequent calls the credential will return a cached access token or redeem a refresh token, if it acquired a refresh token upon redeeming the authorization code.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason. Any error response from Microsoft Entra ID is available as the errorâs response attribute.
Constants for Microsoft Entra ID authority hosts. These are used to construct authority URLs for various Azure environments.
Authenticates by requesting a token from the Azure CLI.
This requires previously logging in to Azure via âaz loginâ, and will use the CLIâs currently logged in identity.
tenant_id (str) â Optional tenant to include in the token request.
subscription (str) â The name or ID of a subscription. Set this to acquire tokens for an account other than the Azure CLIâs current account.
additionally_allowed_tenants (List[str]) â Specifies tenants in addition to the specified âtenant_idâ for which the credential may acquire tokens. Add the wildcard value â*â to allow the credential to acquire tokens for any tenant the application can access.
process_timeout (int) â Seconds to wait for the Azure CLI process to respond. Defaults to 10 seconds.
Example:
Create an AzureCliCredential.ïfrom azure.identity import AzureCliCredential credential = AzureCliCredential()
Calling this method is unnecessary.
Request an access token for scopes.
This method is called automatically by Azure SDK clients. Applications calling this method directly must also handle token caching because this credential doesnât cache the tokens it acquires.
scopes (str) â desired scope for the access token. This credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
An access token with the desired scopes.
CredentialUnavailableError â the credential was unable to invoke the Azure CLI.
ClientAuthenticationError â the credential invoked the Azure CLI but didnât receive an access token.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. Applications calling this method directly must also handle token caching because this credential doesnât cache the tokens it acquires.
scopes (str) â desired scopes for the access token. This credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the credential was unable to invoke the Azure CLI.
ClientAuthenticationError â the credential invoked the Azure CLI but didnât receive an access token.
Authenticates by requesting a token from the Azure Developer CLI.
Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy resources in Azure. Itâs built on top of the Azure CLI and provides additional functionality specific to Azure developers. It allows users to authenticate as a user and/or a service principal against Microsoft Entra ID. The AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of the logged-in user or service principal in Azure Developer CLI. It acts as the Azure Developer CLI logged-in user or service principal and executes an Azure CLI command underneath to authenticate the application against Microsoft Entra ID.
To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the commands below:
Run âazd auth loginâ in Azure Developer CLI to authenticate interactively as a user.
Run âazd auth login âclient-id âclient_idâ âclient-secret âclient_secretâ âtenant-id âtenant_idââ to authenticate as a service principal.
You may need to repeat this process after a certain time period, depending on the refresh token validity in your organization. Generally, the refresh token validity period is a few weeks to a few months. AzureDeveloperCliCredential will prompt you to sign in again.
tenant_id (str) â Optional tenant to include in the token request.
additionally_allowed_tenants (List[str]) â Specifies tenants in addition to the specified âtenant_idâ for which the credential may acquire tokens. Add the wildcard value â*â to allow the credential to acquire tokens for any tenant the application can access.
process_timeout (int) â Seconds to wait for the Azure Developer CLI process to respond. Defaults to 10 seconds.
Example:
Create an AzureDeveloperCliCredential.ïfrom azure.identity import AzureDeveloperCliCredential credential = AzureDeveloperCliCredential()
Calling this method is unnecessary.
Request an access token for scopes.
This method is called automatically by Azure SDK clients. Applications calling this method directly must also handle token caching because this credential doesnât cache the tokens it acquires.
scopes (str) â desired scope for the access token. This credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
An access token with the desired scopes.
CredentialUnavailableError â the credential was unable to invoke the Azure Developer CLI.
ClientAuthenticationError â the credential invoked the Azure Developer CLI but didnât receive an access token.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. Applications calling this method directly must also handle token caching because this credential doesnât cache the tokens it acquires.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the credential was unable to invoke the Azure Developer CLI.
ClientAuthenticationError â the credential invoked the Azure Developer CLI but didnât receive an access token.
Authenticates using Microsoft Entra Workload ID in Azure Pipelines.
This credential enables authentication in Azure Pipelines using workload identity federation for Azure service connections.
tenant_id (str) â The tenant ID for the service connection. Required.
client_id (str) â The client ID for the service connection. Required.
service_connection_id (str) â The service connection ID for the service connection associated with the pipeline. From the service connectionâs configuration page URL in the Azure DevOps web portal, the ID is the value of the âresourceIdâ query parameter. Required.
system_access_token (str) â The pipelineâs System.AccessToken value. It is recommended to assign the value of System.AccessToken to a secure variable in the Azure Pipelines environment. See https://learn.microsoft.com/azure/devops/pipelines/build/variables#systemaccesstoken for more info. Required.
authority (str) â Authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.
additionally_allowed_tenants (List[str]) â Specifies tenants in addition to the specified âtenant_idâ for which the credential may acquire tokens. Add the wildcard value â*â to allow the credential to acquire tokens for any tenant the application can access.
Example:
Create an AzurePipelinesCredential.ïimport os
from azure.identity import AzurePipelinesCredential
credential = AzurePipelinesCredential(
system_access_token=os.environ["SYSTEM_ACCESSTOKEN"],
tenant_id="<tenant_id>",
client_id="<client_id>",
service_connection_id="<service_connection_id>",
)
Close the credentialâs transport session.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
claims (str) â additional claims required in the token, such as those returned in a resource providerâs claims challenge following an authorization failure.
tenant_id (str) â optional tenant to include in the token request.
enable_cae (bool) â indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.
An access token with the desired scopes.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scope for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Authenticates by requesting a token from Azure PowerShell.
This requires previously logging in to Azure via âConnect-AzAccountâ, and will use the currently logged in identity.
tenant_id (str) â Optional tenant to include in the token request.
additionally_allowed_tenants (List[str]) â Specifies tenants in addition to the specified âtenant_idâ for which the credential may acquire tokens. Add the wildcard value â*â to allow the credential to acquire tokens for any tenant the application can access.
process_timeout (int) â Seconds to wait for the Azure PowerShell process to respond. Defaults to 10 seconds.
Example:
Create an AzurePowerShellCredential.ïfrom azure.identity import AzurePowerShellCredential credential = AzurePowerShellCredential()
Calling this method is unnecessary.
Request an access token for scopes.
This method is called automatically by Azure SDK clients. Applications calling this method directly must also handle token caching because this credential doesnât cache the tokens it acquires.
scopes (str) â desired scope for the access token. This credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
An access token with the desired scopes.
CredentialUnavailableError â the credential was unable to invoke Azure PowerShell, or no account is authenticated
ClientAuthenticationError â the credential invoked Azure PowerShell but didnât receive an access token
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. Applications calling this method directly must also handle token caching because this credential doesnât cache the tokens it acquires.
scopes (str) â desired scopes for the access token. TThis credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the credential was unable to invoke Azure PowerShell, or no account is authenticated
ClientAuthenticationError â the credential invoked Azure PowerShell but didnât receive an access token
Authenticates as a service principal using a certificate.
The certificate must have an RSA private key, because this credential signs assertions using RS256. See Microsoft Entra ID documentation for more information on configuring certificate authentication.
tenant_id (str) â ID of the service principalâs tenant. Also called its âdirectoryâ ID.
client_id (str) â The service principalâs client ID
certificate_path (str) â Optional path to a certificate file in PEM or PKCS12 format, including the private key. If not provided, certificate_data is required.
authority (str) â Authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.
certificate_data (bytes) â The bytes of a certificate in PEM or PKCS12 format, including the private key
password (str or bytes) â The certificateâs password. If a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass appropriately encoded bytes instead.
send_certificate_chain (bool) â If True, the credential will send the public certificate chain in the x5c header of each token requestâs JWT. This is required for Subject Name/Issuer (SNI) authentication. Defaults to False.
cache_persistence_options (TokenCachePersistenceOptions) â Configuration for persistent token caching. If unspecified, the credential will cache tokens in memory.
disable_instance_discovery (bool) â Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to True, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.
additionally_allowed_tenants (List[str]) â Specifies tenants in addition to the specified âtenant_idâ for which the credential may acquire tokens. Add the wildcard value â*â to allow the credential to acquire tokens for any tenant the application can access.
Example:
Create a CertificateCredential.ïfrom azure.identity import CertificateCredential
credential = CertificateCredential(
tenant_id="<tenant_id>",
client_id="<client_id>",
certificate_path="<path to PEM/PKCS12 certificate>",
password="<certificate password if necessary>",
)
# Certificate/private key byte data can also be passed directly
credential = CertificateCredential(
tenant_id="<tenant_id>",
client_id="<client_id>",
certificate_data=b"<cert data>",
)
Close the credentialâs underlying HTTP client and release resources.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
claims (str) â additional claims required in the token, such as those returned in a resource providerâs claims challenge following an authorization failure.
tenant_id (str) â optional tenant to include in the token request.
enable_cae (bool) â indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.
An access token with the desired scopes.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
A sequence of credentials that is itself a credential.
Its get_token() method calls get_token on each credential in the sequence, in order, returning the first valid token received. For more information, see ChainedTokenCredential overview.
credentials (TokenCredential) â credential instances to form the chain
Example:
Create a ChainedTokenCredential.ïfrom azure.identity import ChainedTokenCredential, EnvironmentCredential, AzureCliCredential
credential_chain = (
# Try EnvironmentCredential first
EnvironmentCredential(),
# Fallback to Azure CLI if EnvironmentCredential fails
AzureCliCredential(),
)
credential = ChainedTokenCredential(*credential_chain)
Close the transport session of each credential in the chain.
Request a token from each chained credential, in order, returning the first token received.
If no credential provides a token, raises azure.core.exceptions.ClientAuthenticationError with an error message from each credential.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
claims (str) â additional claims required in the token, such as those returned in a resource providerâs claims challenge following an authorization failure.
tenant_id (str) â optional tenant to include in the token request.
enable_cae (bool) â indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.
An access token with the desired scopes.
ClientAuthenticationError â no credential in the chain provided a token
Request a token from each chained credential, in order, returning the first token received.
If no credential provides a token, raises azure.core.exceptions.ClientAuthenticationError with an error message from each credential.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
ClientAuthenticationError â no credential in the chain provided a token.
Authenticates a service principal with a JWT assertion.
This credential is for advanced scenarios. CertificateCredential has a more convenient API for the most common assertion scenario, authenticating a service principal with a certificate.
authority (str) â Authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.
cache_persistence_options (TokenCachePersistenceOptions) â configuration for persistent token caching. If unspecified, the credential will cache tokens in memory.
additionally_allowed_tenants (List[str]) â Specifies tenants in addition to the specified âtenant_idâ for which the credential may acquire tokens. Add the wildcard value â*â to allow the credential to acquire tokens for any tenant the application can access.
Example:
Create a ClientAssertionCredential.ïfrom azure.identity import ClientAssertionCredential
def get_assertion():
return "<client-assertion>"
credential = ClientAssertionCredential(
tenant_id="<tenant_id>",
client_id="<client_id>",
func=get_assertion,
)
Close the credentialâs underlying HTTP client and release resources.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
claims (str) â additional claims required in the token, such as those returned in a resource providerâs claims challenge following an authorization failure.
tenant_id (str) â optional tenant to include in the token request.
enable_cae (bool) â indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.
An access token with the desired scopes.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Authenticates as a service principal using a client secret.
authority (str) â Authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.
cache_persistence_options (TokenCachePersistenceOptions) â Configuration for persistent token caching. If unspecified, the credential will cache tokens in memory.
disable_instance_discovery (bool) â Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to True, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.
additionally_allowed_tenants (List[str]) â Specifies tenants in addition to the specified âtenant_idâ for which the credential may acquire tokens. Add the wildcard value â*â to allow the credential to acquire tokens for any tenant the application can access.
Example:
Create a ClientSecretCredential.ïfrom azure.identity import ClientSecretCredential
credential = ClientSecretCredential(
tenant_id="<tenant_id>",
client_id="<client_id>",
client_secret="<client_secret>",
)
Close the credentialâs underlying HTTP client and release resources.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
claims (str) â additional claims required in the token, such as those returned in a resource providerâs claims challenge following an authorization failure.
tenant_id (str) â optional tenant to include in the token request.
enable_cae (bool) â indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.
An access token with the desired scopes.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
A credential capable of handling most Azure SDK authentication scenarios. For more information, See Usage guidance for DefaultAzureCredential.
The identity it uses depends on the environment. When an access token is needed, it requests one using these identities in turn, stopping when one provides a token:
A service principal configured by environment variables. See EnvironmentCredential for more details.
WorkloadIdentityCredential if environment variable configuration is set by the Azure workload identity webhook.
An Azure managed identity. See ManagedIdentityCredential for more details.
On Windows only: a user who has signed in with a Microsoft application, such as Visual Studio. If multiple identities are in the cache, then the value of the environment variable AZURE_USERNAME is used to select which identity to use. See SharedTokenCacheCredential for more details.
The identity currently logged in to the Azure CLI.
The identity currently logged in to Azure PowerShell.
The identity currently logged in to the Azure Developer CLI.
Brokered authentication. On Windows and WSL only, this uses the default account logged in via Web Account Manager (WAM) if the azure-identity-broker package is installed.
This default behavior is configurable with keyword arguments.
authority (str) â Authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds. Managed identities ignore this because they reside in a single cloud.
exclude_workload_identity_credential (bool) â Whether to exclude the workload identity from the credential. Defaults to False.
exclude_developer_cli_credential (bool) â Whether to exclude the Azure Developer CLI from the credential. Defaults to False.
exclude_cli_credential (bool) â Whether to exclude the Azure CLI from the credential. Defaults to False.
exclude_environment_credential (bool) â Whether to exclude a service principal configured by environment variables from the credential. Defaults to False.
exclude_managed_identity_credential (bool) â Whether to exclude managed identity from the credential. Defaults to False.
exclude_powershell_credential (bool) â Whether to exclude Azure PowerShell. Defaults to False.
exclude_visual_studio_code_credential (bool) â Whether to exclude stored credential from VS Code. Defaults to True.
exclude_shared_token_cache_credential (bool) â Whether to exclude the shared token cache. Defaults to False.
exclude_interactive_browser_credential (bool) â Whether to exclude interactive browser authentication (see InteractiveBrowserCredential). Defaults to True.
exclude_broker_credential (bool) â Whether to exclude the broker credential from the credential chain. Defaults to False.
interactive_browser_tenant_id (str) â Tenant ID to use when authenticating a user through InteractiveBrowserCredential. Defaults to the value of environment variable AZURE_TENANT_ID, if any. If unspecified, users will authenticate in their home tenants.
broker_tenant_id (str) â The tenant ID to use when using brokered authentication. Defaults to the value of environment variable AZURE_TENANT_ID, if any. If unspecified, users will authenticate in their home tenants.
managed_identity_client_id (str) â The client ID of a user-assigned managed identity. Defaults to the value of the environment variable AZURE_CLIENT_ID, if any. If not specified, a system-assigned identity will be used.
workload_identity_client_id (str) â The client ID of an identity assigned to the pod. Defaults to the value of the environment variable AZURE_CLIENT_ID, if any. If not specified, the podâs default identity will be used.
workload_identity_tenant_id (str) â Preferred tenant for WorkloadIdentityCredential. Defaults to the value of environment variable AZURE_TENANT_ID, if any.
interactive_browser_client_id (str) â The client ID to be used in interactive browser credential. If not specified, users will authenticate to an Azure development application.
broker_client_id (str) â The client ID to be used in brokered authentication. If not specified, users will authenticate to an Azure development application.
shared_cache_username (str) â Preferred username for SharedTokenCacheCredential. Defaults to the value of environment variable AZURE_USERNAME, if any.
shared_cache_tenant_id (str) â Preferred tenant for SharedTokenCacheCredential. Defaults to the value of environment variable AZURE_TENANT_ID, if any.
visual_studio_code_tenant_id (str) â Tenant ID to use when authenticating with VisualStudioCodeCredential. Defaults to the tenant specified in the authentication record file used by the Azure Resources extension.
process_timeout (int) â The timeout in seconds to use for developer credentials that run subprocesses (e.g. AzureCliCredential, AzurePowerShellCredential). Defaults to 10 seconds.
Example:
Create a DefaultAzureCredential.ïfrom azure.identity import DefaultAzureCredential credential = DefaultAzureCredential()
Close the transport session of each credential in the chain.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
An access token with the desired scopes.
ClientAuthenticationError â authentication failed. The exception has a message attribute listing each authentication attempt and its error message.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
ClientAuthenticationError â authentication failed. The exception has a message attribute listing each authentication attempt and its error message.
Authenticates users through the device code flow.
When get_token() is called, this credential acquires a verification URL and code from Microsoft Entra ID. A user must browse to the URL, enter the code, and authenticate with Microsoft Entra ID. If the user authenticates successfully, the credential receives an access token.
This credential is primarily useful for authenticating a user in an environment without a web browser, such as an SSH session. If a web browser is available, InteractiveBrowserCredential is more convenient because it automatically opens a browser to the login page.
client_id (str) â Client ID of the Microsoft Entra application that users will sign into. It is recommended that developers register their applications and assign appropriate roles. For more information, visit https://aka.ms/azsdk/identity/AppRegistrationAndRoleAssignment. If not specified, users will authenticate to an Azure development application, which is not recommended for production scenarios.
authority (str) â Authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.
tenant_id (str) â a Microsoft Entra tenant ID. Defaults to the âorganizationsâ tenant, which can authenticate work or school accounts. Required for single-tenant applications.
timeout (int) â seconds to wait for the user to authenticate. Defaults to the validity period of the device code as set by Microsoft Entra ID, which also prevails when timeout is longer.
prompt_callback (Callable[str, str, datetime]) â
A callback enabling control of how authentication instructions are presented. Must accept arguments (verification_uri, user_code, expires_on):
verification_uri (str) the URL the user must visit
user_code (str) the code the user must enter there
expires_on (datetime.datetime) the UTC time at which the code will expire
If this argument isnât provided, the credential will print instructions to stdout.
authentication_record (AuthenticationRecord) â AuthenticationRecord returned by authenticate()
disable_automatic_authentication (bool) â if True, get_token() will raise AuthenticationRequiredError when user interaction is required to acquire a token. Defaults to False.
cache_persistence_options (TokenCachePersistenceOptions) â configuration for persistent token caching. If unspecified, the credential will cache tokens in memory.
disable_instance_discovery (bool) â Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to True, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.
enable_support_logging (bool) â Enables additional support logging in the underlying MSAL library. This logging potentially contains personally identifiable information and is intended to be used only for troubleshooting purposes.
Example:
Create a DeviceCodeCredential.ïfrom azure.identity import DeviceCodeCredential credential = DeviceCodeCredential()
Interactively authenticate a user. This method will always generate a challenge to the user.
scopes (Iterable[str]) â scopes to request during authentication, such as those provided by AuthenticationRequiredError.scopes(). If provided, successful authentication will cache an access token for these scopes.
claims (str) â additional claims required in the token, such as those provided by AuthenticationRequiredError.claims()
An AuthenticationRecord containing the authenticated userâs information.
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Close the credentialâs underlying HTTP client and release resources.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
claims (str) â additional claims required in the token, such as those returned in a resource providerâs claims challenge following an authorization failure
tenant_id (str) â optional tenant to include in the token request.
enable_cae (bool) â indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.
An access token with the desired scopes.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
AuthenticationRequiredError â user interaction is necessary to acquire a token, and the credential is configured not to begin this automatically. Call authenticate() to begin interactive authentication.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
AccessTokenInfo
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
AuthenticationRequiredError â user interaction is necessary to acquire a token, and the credential is configured not to begin this automatically. Call authenticate() to begin interactive authentication.
A credential configured by environment variables.
This credential is capable of authenticating as a service principal using a client secret or a certificate. Configuration is attempted in this order, using these environment variables:
AZURE_TENANT_ID: ID of the service principalâs tenant. Also called its âdirectoryâ ID.
AZURE_CLIENT_ID: the service principalâs client ID
AZURE_CLIENT_SECRET: one of the service principalâs client secrets
AZURE_AUTHORITY_HOST: authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud, which is the default when no value is given.
AZURE_TENANT_ID: ID of the service principalâs tenant. Also called its âdirectoryâ ID.
AZURE_CLIENT_ID: the service principalâs client ID
AZURE_CLIENT_CERTIFICATE_PATH: path to a PEM or PKCS12 certificate file including the private key.
AZURE_CLIENT_CERTIFICATE_PASSWORD: (optional) password of the certificate file, if any.
AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: (optional) If True, the credential will send the public certificate chain in the x5c header of each token requestâs JWT. This is required for Subject Name/Issuer (SNI) authentication. Defaults to False.
AZURE_AUTHORITY_HOST: authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud, which is the default when no value is given.
Example:
Create an EnvironmentCredential.ïfrom azure.identity import EnvironmentCredential credential = EnvironmentCredential()
Close the credentialâs transport session.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
An access token with the desired scopes.
CredentialUnavailableError â environment variable configuration is incomplete
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scope for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â environment variable configuration is incomplete.
Opens a browser to interactively authenticate a user.
get_token() opens a browser to a login URL provided by Microsoft Entra ID and authenticates a user there with the authorization code flow, using PKCE (Proof Key for Code Exchange) internally to protect the code.
authority (str) â Authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.
tenant_id (str) â a Microsoft Entra tenant ID. Defaults to the âorganizationsâ tenant, which can authenticate work or school accounts.
client_id (str) â Client ID of the Microsoft Entra application that users will sign into. It is recommended that developers register their applications and assign appropriate roles. For more information, visit https://aka.ms/azsdk/identity/AppRegistrationAndRoleAssignment. If not specified, users will authenticate to an Azure development application, which is not recommended for production scenarios.
login_hint (str) â a username suggestion to pre-fill the login pageâs username/email address field. A user may still log in with a different username.
redirect_uri (str) â a redirect URI for the application identified by client_id as configured in Azure Active Directory, for example âhttp://localhost:8400â. This is only required when passing a value for client_id, and must match a redirect URI in the applicationâs registration. The credential must be able to bind a socket to this URI.
authentication_record (AuthenticationRecord) â AuthenticationRecord returned by authenticate()
disable_automatic_authentication (bool) â if True, get_token() will raise AuthenticationRequiredError when user interaction is required to acquire a token. Defaults to False.
cache_persistence_options (TokenCachePersistenceOptions) â configuration for persistent token caching. If unspecified, the credential will cache tokens in memory.
timeout (int) â seconds to wait for the user to complete authentication. Defaults to 300 (5 minutes).
disable_instance_discovery (bool) â Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to True, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.
enable_support_logging (bool) â Enables additional support logging in the underlying MSAL library. This logging potentially contains personally identifiable information and is intended to be used only for troubleshooting purposes.
ValueError â invalid redirect_uri
Example:
Create an InteractiveBrowserCredential.ïfrom azure.identity import InteractiveBrowserCredential
credential = InteractiveBrowserCredential(
client_id="<client_id>",
)
Interactively authenticate a user. This method will always generate a challenge to the user.
scopes (Iterable[str]) â scopes to request during authentication, such as those provided by AuthenticationRequiredError.scopes(). If provided, successful authentication will cache an access token for these scopes.
claims (str) â additional claims required in the token, such as those provided by AuthenticationRequiredError.claims()
An AuthenticationRecord containing the authenticated userâs information.
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Close the credentialâs underlying HTTP client and release resources.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
claims (str) â additional claims required in the token, such as those returned in a resource providerâs claims challenge following an authorization failure
tenant_id (str) â optional tenant to include in the token request.
enable_cae (bool) â indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.
An access token with the desired scopes.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
AuthenticationRequiredError â user interaction is necessary to acquire a token, and the credential is configured not to begin this automatically. Call authenticate() to begin interactive authentication.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
AccessTokenInfo
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
AuthenticationRequiredError â user interaction is necessary to acquire a token, and the credential is configured not to begin this automatically. Call authenticate() to begin interactive authentication.
Alias of AzureAuthorityHosts
Authenticates with an Azure managed identity in any hosting environment which supports managed identities.
This credential defaults to using a system-assigned identity. To configure a user-assigned identity, use one of the keyword arguments. See Microsoft Entra ID documentation for more information about configuring managed identity for applications.
client_id (str) â a user-assigned identityâs client ID or, when using Pod Identity, the client ID of a Microsoft Entra app registration. This argument is supported in all hosting environments.
identity_config (Mapping[str, str]) â a mapping {parameter_name: value} specifying a user-assigned identity by its object or resource ID, for example {"object_id": "..."}. Check the documentation for your hosting environment to learn what values it expects.
Example:
Create a ManagedIdentityCredential.ïfrom azure.identity import ManagedIdentityCredential
credential = ManagedIdentityCredential()
# Can also specify a client ID of a user-assigned managed identity
credential = ManagedIdentityCredential(
client_id="<client_id>",
)
Close the credentialâs transport session.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scope for the access token. This credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
An access token with the desired scopes.
CredentialUnavailableError â managed identity isnât available in the hosting environment
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scope for the access token. This credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â managed identity isnât available in the hosting environment.
Authenticates a service principal via the on-behalf-of flow.
This flow is typically used by middle-tier services that authorize requests to other services with a delegated user identity. Because this is not an interactive authentication flow, an application using it must have admin consent for any delegated permissions before requesting tokens for them. See Microsoft Entra ID documentation for a more detailed description of the on-behalf-of flow.
client_secret (str) â Optional. A client secret to authenticate the service principal. One of client_secret, client_certificate, or client_assertion_func must be provided.
client_certificate (bytes) â Optional. The bytes of a certificate in PEM or PKCS12 format including the private key to authenticate the service principal. One of client_secret, client_certificate, or client_assertion_func must be provided.
client_assertion_func (Callable[[], str]) â Optional. Function that returns client assertions that authenticate the application to Microsoft Entra ID. This function is called each time the credential requests a token. It must return a valid assertion for the target resource.
user_assertion (str) â Required. The access token the credential will use as the user assertion when requesting on-behalf-of tokens.
authority (str) â Authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.
password (str or bytes) â A certificate password. Used only when client_certificate is provided. If this value is a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass appropriately encoded bytes instead.
send_certificate_chain (bool) â If True when client_certificate is provided, the credential will send the public certificate chain in the x5c header of each token requestâs JWT. This is required for Subject Name/Issuer (SNI) authentication. Defaults to False.
disable_instance_discovery (bool) â Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to True, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.
additionally_allowed_tenants (List[str]) â Specifies tenants in addition to the specified âtenant_idâ for which the credential may acquire tokens. Add the wildcard value â*â to allow the credential to acquire tokens for any tenant the application can access.
Example:
Create an OnBehalfOfCredential.ïfrom azure.identity import OnBehalfOfCredential
credential = OnBehalfOfCredential(
tenant_id="<tenant_id>",
client_id="<client_id>",
client_secret="<client_secret>",
user_assertion="<access_token>",
)
Close the credentialâs underlying HTTP client and release resources.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
claims (str) â additional claims required in the token, such as those returned in a resource providerâs claims challenge following an authorization failure.
tenant_id (str) â optional tenant to include in the token request.
enable_cae (bool) â indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.
An access token with the desired scopes.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Authenticates using tokens in the local cache shared between Microsoft applications.
username (str) â Username (typically an email address) of the user to authenticate as. This is used when the local cache contains tokens for multiple identities.
authority (str) â Authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.
tenant_id (str) â a Microsoft Entra tenant ID. Used to select an account when the cache contains tokens for multiple identities.
authentication_record (AuthenticationRecord) â an authentication record returned by a user credential such as DeviceCodeCredential or InteractiveBrowserCredential
cache_persistence_options (TokenCachePersistenceOptions) â configuration for persistent token caching. If not provided, the credential will use the persistent cache shared by Microsoft development applications
Whether the shared token cache is supported on the current platform.
True if the shared token cache is supported on the current platform, otherwise False.
Close the credentialâs transport session.
Get an access token for scopes from the shared cache.
If no access token is cached, attempt to acquire one using a cached refresh token.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
claims (str) â additional claims required in the token, such as those returned in a resource providerâs claims challenge following an authorization failure
tenant_id (str) â not used by this credential; any value provided will be ignored.
enable_cae (bool) â indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.
An access token with the desired scopes.
CredentialUnavailableError â the cache is unavailable or contains insufficient user information
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Request an access token for scopes.
If no access token is cached, attempt to acquire one using a cached refresh token.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scope for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the cache is unavailable or contains insufficient user information.
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Options for persistent token caching.
Most credentials accept an instance of this class to configure persistent token caching. The default values configure a credential to use a cache shared with Microsoft developer tools and SharedTokenCacheCredential. To isolate a credentialâs data from other applications, specify a name for the cache.
By default, the cache is encrypted with the current platformâs user data protection API, and will raise an error when this is not available. To configure the cache to fall back to an unencrypted file instead of raising an error, specify allow_unencrypted_storage=True.
Warning
The cache contains authentication secrets. If the cache is not encrypted, protecting it is the applicationâs responsibility. A breach of its contents will fully compromise accounts.
Example:
Configuring a credential for persistent cachingïcache_options = TokenCachePersistenceOptions() credential = InteractiveBrowserCredential(cache_persistence_options=cache_options) # specify a cache name to isolate the cache from other applications TokenCachePersistenceOptions(name="my_application") # configure the cache to fall back to unencrypted storage when encryption isn't available TokenCachePersistenceOptions(allow_unencrypted_storage=True)
name (str) â prefix name of the cache, used to isolate its data from other applications. Defaults to the name of the cache shared by Microsoft dev tools and SharedTokenCacheCredential. Additional strings may be appended to the name for further isolation.
allow_unencrypted_storage (bool) â whether the cache should fall back to storing its data in plain text when encryption isnât possible. False by default. Setting this to True does not disable encryption. The cache will always try to encrypt its data.
Authenticates a user with a username and password.
Deprecated: This credential doesnât support multifactor authentication (MFA). For more details on Microsoft Entra MFA enforcement, see https://aka.ms/azsdk/identity/mfa.
In general, Microsoft doesnât recommend this kind of authentication, because itâs less secure than other authentication flows.
Authentication with this credential is not interactive, so it is not compatible with any form of multi-factor authentication or consent prompting. The application must already have consent from the user or a directory admin.
This credential can only authenticate work and school accounts; Microsoft accounts are not supported. See Microsoft Entra ID documentation for more information about account types.
authority (str) â Authority of a Microsoft Entra endpoint, for example âlogin.microsoftonline.comâ, the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.
tenant_id (str) â Tenant ID or a domain associated with a tenant. If not provided, defaults to the âorganizationsâ tenant, which supports only Microsoft Entra work or school accounts.
cache_persistence_options (TokenCachePersistenceOptions) â Configuration for persistent token caching. If unspecified, the credential will cache tokens in memory.
disable_instance_discovery (bool) â Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to True, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.
additionally_allowed_tenants (List[str]) â Specifies tenants in addition to the specified âtenant_idâ for which the credential may acquire tokens. Add the wildcard value â*â to allow the credential to acquire tokens for any tenant the application can access.
enable_support_logging (bool) â Enables additional support logging in the underlying MSAL library. This logging potentially contains personally identifiable information and is intended to be used only for troubleshooting purposes.
Example:
Create a UsernamePasswordCredential.ïfrom azure.identity import UsernamePasswordCredential
credential = UsernamePasswordCredential(
client_id="<client_id>",
username="<username>",
password="<password>",
)
Interactively authenticate a user. This method will always generate a challenge to the user.
scopes (Iterable[str]) â scopes to request during authentication, such as those provided by AuthenticationRequiredError.scopes(). If provided, successful authentication will cache an access token for these scopes.
claims (str) â additional claims required in the token, such as those provided by AuthenticationRequiredError.claims()
An AuthenticationRecord containing the authenticated userâs information.
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Close the credentialâs underlying HTTP client and release resources.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
claims (str) â additional claims required in the token, such as those returned in a resource providerâs claims challenge following an authorization failure
tenant_id (str) â optional tenant to include in the token request.
enable_cae (bool) â indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.
An access token with the desired scopes.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
AuthenticationRequiredError â user interaction is necessary to acquire a token, and the credential is configured not to begin this automatically. Call authenticate() to begin interactive authentication.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
AccessTokenInfo
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
AuthenticationRequiredError â user interaction is necessary to acquire a token, and the credential is configured not to begin this automatically. Call authenticate() to begin interactive authentication.
Authenticates as the Azure user signed in to Visual Studio Code via the âAzure Resourcesâ extension.
This currently only works in Windows/WSL environments and requires the âazure-identity-brokerâ package to be installed.
tenant_id (str) â A Microsoft Entra tenant ID. Defaults to the tenant specified in the authentication record file used by the Azure Resources extension.
additionally_allowed_tenants (List[str]) â Specifies tenants in addition to the specified âtenant_idâ for which the credential may acquire tokens. Add the wildcard value â*â to allow the credential to acquire tokens for any tenant the application can access.
Close the credentialâs transport session.
Request an access token for scopes as the user currently signed in to Visual Studio Code.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
An access token with the desired scopes.
CredentialUnavailableError â the credential cannot retrieve user details from Visual Studio Code
Request an access token for scopes as the user currently signed in to Visual Studio Code.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the credential cannot retrieve user details from Visual Studio Code.
Authenticates using Microsoft Entra Workload ID.
Workload identity authentication is a feature in Azure that allows applications running on virtual machines (VMs) to access other Azure resources without the need for a service principal or managed identity. With workload identity authentication, applications authenticate themselves using their own identity, rather than using a shared service principal or managed identity. Under the hood, workload identity authentication uses the concept of Service Account Credentials (SACs), which are automatically created by Azure and stored securely in the VM. By using workload identity authentication, you can avoid the need to manage and rotate service principals or managed identities for each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you donât need to worry about storing and securing sensitive credentials themselves.
The WorkloadIdentityCredential supports Azure workload identity authentication on Azure Kubernetes and acquires a token using the service account credentials available in the Azure Kubernetes environment. Refer to this workload identity overview for more information.
tenant_id (str) â ID of the applicationâs Microsoft Entra tenant. Also called its âdirectoryâ ID.
client_id (str) â The client ID of a Microsoft Entra app registration.
token_file_path (str) â The path to a file containing a Kubernetes service account token that authenticates the identity.
Example:
Create a WorkloadIdentityCredential.ïfrom azure.identity import WorkloadIdentityCredential
credential = WorkloadIdentityCredential(
tenant_id="<tenant_id>",
client_id="<client_id>",
token_file_path="<token_file_path>",
)
# Parameters can be omitted if the following environment variables are set:
# - AZURE_TENANT_ID
# - AZURE_CLIENT_ID
# - AZURE_FEDERATED_TOKEN_FILE
credential = WorkloadIdentityCredential()
Close the credentialâs underlying HTTP client and release resources.
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
claims (str) â additional claims required in the token, such as those returned in a resource providerâs claims challenge following an authorization failure.
tenant_id (str) â optional tenant to include in the token request.
enable_cae (bool) â indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.
An access token with the desired scopes.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
scopes (str) â desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
options (TokenRequestOptions) â A dictionary of options for the token request. Unknown options will be ignored. Optional.
An AccessTokenInfo instance containing information about the token.
CredentialUnavailableError â the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError â authentication failed. The errorâs message attribute gives a reason.
Returns a callable that provides a bearer token.
It can be used for instance to write code like:
from azure.identity import DefaultAzureCredential, get_bearer_token_provider credential = DefaultAzureCredential() bearer_token_provider = get_bearer_token_provider(credential, "https://cognitiveservices.azure.com/.default") # Usage request.headers["Authorization"] = "Bearer " + bearer_token_provider()
credential (TokenCredential) â The credential used to authenticate the request.
scopes (str) â The scopes required for the bearer token.
callable
A callable that returns a bearer token.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4