The Azure Identity library provides Microsoft Entra ID (formerly Azure Active Directory) token authentication support across the Azure SDK. It provides a set of TokenCredential implementations that can be used to construct Azure SDK clients that support Microsoft Entra token authentication.
Source code | API reference documentation | Microsoft Entra ID documentation
Getting started Include the package Include the BOM fileInclude the azure-sdk-bom in your project to take a dependency on the stable version of the library. In the following snippet, replace the {bom_version_to_target} placeholder with the version number. To learn more about the BOM, see the Azure SDK BOM README.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-sdk-bom</artifactId>
<version>{bom_version_to_target}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Then include the direct dependency in the dependencies section without the version tag:
<dependencies>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
</dependency>
</dependencies>
To take dependency on a particular version of the library that isn't present in the BOM, add the direct dependency to your project as follows:
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.16.3</version>
</dependency>
When debugging and executing code locally, it's typical for a developer to use their own account for authenticating calls to Azure services. There are several developer tools that can be used to perform this authentication in your development environment:
Select each item above to learn about how to configure them for Azure Identity authentication.
Key concepts CredentialsA credential is a class that contains or can obtain the data needed for a service client to authenticate requests. Service clients across the Azure SDK accept credentials when they're constructed. The service clients use those credentials to authenticate requests to the service.
The Azure Identity library focuses on OAuth authentication with Microsoft Entra ID, and it offers various credential classes capable of acquiring a Microsoft Entra token to authenticate service requests. All of the credential classes in this library are implementations of the TokenCredential abstract class in azure-core, and any of them can be used by to construct service clients capable of authenticating with a TokenCredential.
See Credential classes for a complete list of available credential classes.
DefaultAzureCredentialDefaultAzureCredential simplifies authentication while developing apps that deploy to Azure by combining credentials used in Azure hosting environments with credentials used in local development. For more information, see DefaultAzureCredential overview.
As of v1.10.0, DefaultAzureCredential attempts to authenticate with all developer credentials until one succeeds, regardless of any errors previous developer credentials experienced. For example, a developer credential may attempt to get a token and fail, so DefaultAzureCredential continues to the next credential in the flow. Deployed service credentials stop the flow with a thrown exception if they're able to attempt token retrieval, but don't receive one.
This allows for trying all of the developer credentials on your machine while having predictable deployed behavior.
ExamplesYou can find more examples of using various credentials in Azure Identity Examples Wiki page.
Authenticate withDefaultAzureCredential
This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using DefaultAzureCredential:
/**
* DefaultAzureCredential first checks environment variables for configuration.
* If environment configuration is incomplete, it tries managed identity.
*/
public void createDefaultAzureCredential() {
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
}
DefaultAzureCredential
To authenticate using user-assigned managed identity, ensure that configuration instructions for your supported Azure resource here have been successfully completed.
The below example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using DefaultAzureCredential, deployed to an Azure resource with a user-assigned managed identity configured.
See more about how to configure a user-assigned managed identity for an Azure resource in Enable managed identity for Azure resources.
/**
* DefaultAzureCredential uses the user-assigned managed identity with the specified client ID.
*/
public void createDefaultAzureCredentialForUserAssignedManagedIdentity() {
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("<MANAGED_IDENTITY_CLIENT_ID>")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
}
In addition to configuring the managedIdentityClientId via code, it can also be set using the AZURE_CLIENT_ID environment variable. These two approaches are equivalent when using DefaultAzureCredential.
DefaultAzureCredential
To authenticate using IntelliJ, ensure that configuration instructions here have been successfully completed.
The below example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using DefaultAzureCredential, on a workstation with IntelliJ IDEA installed, and the user has signed in with an Azure account to the Azure Toolkit for IntelliJ.
See more about how to configure your IntelliJ IDEA in Sign in Azure Toolkit for IntelliJ for IntelliJCredential.
/**
* DefaultAzureCredential uses the signed-in user from Azure Toolkit for Java.
*/
public void createDefaultAzureCredentialForIntelliJ() {
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
}
DefaultAzureCredential
To authenticate using Visual Studio Code, ensure you have signed in through the Azure Resources extension. The signed-in user is then picked up automatically by DefaultAzureCredential in the Azure SDK for Java.
Azure: Sign In command in VS Code.azure-identity-borker package.DefaultAzureCredential with Key Vault
The following example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using DefaultAzureCredential:
/**
* DefaultAzureCredential uses the signed-in user from Visual Studio Code
* via the Azure Resources extension.
*/
public void createDefaultAzureCredentialForVSCode() {
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
}
The Managed identity authentication is supported indirectly via DefaultAzureCredential or directly via ManagedIdentityCredential for the following Azure Services:
Note: Use azure-identity version 1.7.0 or later to utilize token caching support for managed identity authentication.
This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the ManagedIdentityCredential in a Virtual Machine, App Service, Functions app, Cloud Shell, or AKS environment on Azure, with system-assigned or user-assigned managed identity enabled.
See more about how to configure your Azure resource for managed identity in Enable managed identity for Azure resources
/**
* Authenticate with a user-assigned managed identity.
*/
public void createManagedIdentityCredential() {
ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder()
.clientId("<USER-ASSIGNED MANAGED IDENTITY CLIENT ID>") // only required for user-assigned
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(managedIdentityCredential)
.buildClient();
}
public void createManagedIdentityCredentialWithResourceId() {
ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder()
.resourceId("/subscriptions/<subscriptionID>/resourcegroups/<resource group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<MI name>") // only required for user-assigned
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(managedIdentityCredential)
.buildClient();
}
public void createManagedIdentityCredentialWithObjectId() {
ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder()
.objectId("<USER-ASSIGNED MANAGED IDENTITY OBJECT ID>") // only required for user-assigned
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(managedIdentityCredential)
.buildClient();
}
/**
* Authenticate with a system-assigned managed identity.
*/
public void createManagedIdentityCredential() {
ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder()
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(managedIdentityCredential)
.buildClient();
}
ChainedTokenCredential
While DefaultAzureCredential is generally the quickest way to authenticate apps for Azure, you can create a customized chain of credentials to be considered. ChainedTokenCredential enables users to combine multiple credential instances to define a customized chain of credentials. For more information, see ChainedTokenCredential overview.
By default, credentials authenticate to the Microsoft Entra endpoint for Azure Public Cloud. To access resources in other clouds, such as Azure US Government or a private cloud, use one of the following solutions:
authorityHost method. For example:DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder()
.authorityHost(AzureAuthorityHosts.AZURE_GOVERNMENT)
.build();
AzureAuthorityHosts defines authorities for well-known clouds.
AZURE_AUTHORITY_HOST environment variable to the appropriate authority host URL. For example, https://login.microsoftonline.us/. Note that this setting affects all credentials in the environment. Use the previous solution to set the authority host on a specific credential.Not all credentials honor this configuration. Credentials that authenticate through a development tool, such as AzureCliCredential, use that tool's configuration.
Note: All credential implementations in the Azure Identity library are threadsafe, and a single credential instance can be used to create multiple service clients.
Credentials can be chained together to be tried in turn until one succeeds using ChainedTokenCredential. For more information, see chaining credentials.
DefaultAzureCredential and EnvironmentCredential can be configured with environment variables. Each type of authentication requires values for specific variables.
AZURE_CLIENT_ID ID of a Microsoft Entra application AZURE_TENANT_ID ID of the application's Microsoft Entra tenant AZURE_CLIENT_SECRET one of the application's client secrets Service principal with certificate Variable name Value AZURE_CLIENT_ID ID of a Microsoft Entra application AZURE_TENANT_ID ID of the application's Microsoft Entra tenant AZURE_CLIENT_CERTIFICATE_PATH path to a PFX or PEM-encoded certificate file including private key AZURE_CLIENT_CERTIFICATE_PASSWORD (optional) password for certificate. The certificate can't be password-protected unless this value is specified. Managed identity (DefaultAzureCredential) Variable name Value AZURE_CLIENT_ID The client ID for the user-assigned managed identity.
Configuration is attempted in the preceding order. For example, if values for a client secret and certificate are both present, the client secret is used.
Continuous Access EvaluationAs of v1.10.0, accessing resources protected by Continuous Access Evaluation (CAE) is possible on a per-request basis. This can be enabled using the TokenRequestContext.setCaeEnabled(boolean) API. CAE isn't supported for developer credentials.
Token caching is a feature provided by the Azure Identity library that allows apps to:
The Azure Identity library offers both in-memory and persistent disk caching. For more information, see the token caching documentation.
Brokered authenticationAn authentication broker is an application that runs on a userâs machine and manages the authentication handshakes and token maintenance for connected accounts. Currently, only the Windows Web Account Manager (WAM) is supported. To enable support, use the azure-identity-broker package. For details on authenticating using WAM, see the broker plugin documentation.
Credentials raise exceptions when they fail to authenticate or can't execute authentication. When credentials fail to authenticate, theClientAuthenticationException is raised. The exception has a message attribute, which describes why authentication failed. When ChainedTokenCredential raises this exception, the chained execution of underlying list of credentials is stopped.
When credentials can't execute authentication due to one of the underlying resources required by the credential being unavailable on the machine, the CredentialUnavailableException is raised. The exception has a message attribute that describes why the credential is unavailable for authentication execution. When ChainedTokenCredential raises this exception, the message collects error messages from each credential in the chain.
See the troubleshooting guide for details on how to diagnose various failure scenarios.
Next stepsThe Java client libraries listed here support authenticating with TokenCredential and the Azure Identity library. You can learn more about their use, and find additional documentation on use of these client libraries along samples with can be found in the links mentioned here.
The microsoft-graph-sdk also supports authenticating with TokenCredential and the Azure Identity library.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4