Version
Tile
Files
docs
advanced-authentication-flows.mdauthorization-code-authentication.mdazure-developer-cli-authentication.mdazure-pipelines-authentication.mdclient-assertion-authentication.mdconfiguration-and-utilities.mdcredential-chaining.mddefault-azure-credential.mddeveloper-tool-credentials.mdenvironment-credential.mdindex.mdinteractive-user-authentication.mdmanaged-identity-credential.mdservice-principal-authentication.mdshared-token-cache-authentication.mdusername-password-authentication.mdvisual-studio-code-authentication.md
tessl/maven-com-azure--azure-identity
The Azure Identity library provides Microsoft Entra ID token authentication support across the Azure SDK with a comprehensive set of TokenCredential implementations.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-com-azure--azure-identity@1.16.0index.mddocs/
Azure Identity
The Azure Identity library provides Microsoft Entra ID (formerly Azure Active Directory) token authentication support across the Azure SDK. It offers a comprehensive set of TokenCredential implementations that can authenticate with Azure services using various authentication flows including managed identity, service principals, developer tools, and interactive authentication methods.
Package Information
- Package Name: azure-identity
- Package Type: maven
- Group ID: com.azure
- Artifact ID: azure-identity
- Language: Java
- Installation: Add to Maven dependencies with group
com.azureand artifactazure-identity
Core Imports
import com.azure.identity.*;
import com.azure.core.credential.TokenCredential;For specific credential types:
import com.azure.identity.DefaultAzureCredential;
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.identity.ManagedIdentityCredential;
import com.azure.identity.ManagedIdentityCredentialBuilder;
import com.azure.identity.ClientSecretCredential;
import com.azure.identity.ClientSecretCredentialBuilder;Basic Usage
import com.azure.identity.DefaultAzureCredential;
import com.azure.identity.DefaultAzureCredentialBuilder;
// Create default credential chain for most common scenarios
TokenCredential credential = new DefaultAzureCredentialBuilder().build();
// Use with any Azure SDK client
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://myvault.vault.azure.net/")
.credential(credential)
.buildClient();Architecture
The Azure Identity library is built around several key concepts:
- TokenCredential Interface: All credentials implement this interface from azure-core
- Credential Builders: Fluent builder pattern for configuring credentials
- Authentication Flows: Support for various OAuth2 and Azure-specific flows
- Token Caching: Automatic token caching and refresh capabilities
- Multi-tenant Support: Ability to authenticate across multiple Azure tenants
Capabilities
Default Authentication Chain
The recommended approach for most applications, trying multiple authentication methods in sequence.
class DefaultAzureCredential extends ChainedTokenCredential implements TokenCredential {
// Built using DefaultAzureCredentialBuilder
}
class DefaultAzureCredentialBuilder extends CredentialBuilderBase<DefaultAzureCredentialBuilder> {
DefaultAzureCredentialBuilder tenantId(String tenantId);
DefaultAzureCredentialBuilder authorityHost(String authorityHost);
DefaultAzureCredentialBuilder managedIdentityClientId(String clientId);
DefaultAzureCredentialBuilder workloadIdentityClientId(String clientId);
DefaultAzureCredentialBuilder managedIdentityResourceId(String resourceId);
DefaultAzureCredentialBuilder executorService(ExecutorService executorService);
DefaultAzureCredentialBuilder additionallyAllowedTenants(String... additionallyAllowedTenants);
DefaultAzureCredentialBuilder additionallyAllowedTenants(List<String> additionallyAllowedTenants);
DefaultAzureCredentialBuilder credentialProcessTimeout(Duration credentialProcessTimeout);
DefaultAzureCredentialBuilder disableInstanceDiscovery();
DefaultAzureCredential build();
}Managed Identity Authentication
Authenticate using Azure Managed Identity for Azure-hosted applications.
class ManagedIdentityCredential implements TokenCredential {
String getClientId();
Mono<AccessToken> getToken(TokenRequestContext request);
}
class ManagedIdentityCredentialBuilder extends CredentialBuilderBase<ManagedIdentityCredentialBuilder> {
ManagedIdentityCredentialBuilder clientId(String clientId);
ManagedIdentityCredentialBuilder resourceId(String resourceId);
ManagedIdentityCredentialBuilder objectId(String objectId);
ManagedIdentityCredentialBuilder executorService(ExecutorService executorService);
ManagedIdentityCredential build();
}Service Principal Authentication
Authenticate using service principal credentials with client secrets or certificates.
class ClientSecretCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class ClientSecretCredentialBuilder extends AadCredentialBuilderBase<ClientSecretCredentialBuilder> {
ClientSecretCredentialBuilder clientSecret(String clientSecret);
ClientSecretCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions);
ClientSecretCredential build();
}
class ClientCertificateCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class ClientCertificateCredentialBuilder extends AadCredentialBuilderBase<ClientCertificateCredentialBuilder> {
ClientCertificateCredentialBuilder pemCertificate(String certificatePath);
ClientCertificateCredentialBuilder pemCertificate(InputStream certificate);
ClientCertificateCredentialBuilder pfxCertificate(String certificatePath);
ClientCertificateCredentialBuilder pfxCertificate(InputStream certificate);
ClientCertificateCredentialBuilder clientCertificatePassword(String clientCertificatePassword);
ClientCertificateCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions);
ClientCertificateCredentialBuilder sendCertificateChain(boolean sendCertificateChain);
ClientCertificateCredential build();
}Service Principal Authentication
Interactive User Authentication
Authenticate users through interactive flows including browser-based and device code authentication.
class InteractiveBrowserCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
Mono<AuthenticationRecord> authenticate(TokenRequestContext request);
Mono<AuthenticationRecord> authenticate();
}
class InteractiveBrowserCredentialBuilder extends AadCredentialBuilderBase<InteractiveBrowserCredentialBuilder> {
InteractiveBrowserCredentialBuilder authenticationRecord(AuthenticationRecord authenticationRecord);
InteractiveBrowserCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions);
InteractiveBrowserCredentialBuilder redirectUrl(String redirectUrl);
InteractiveBrowserCredentialBuilder disableAutomaticAuthentication();
InteractiveBrowserCredentialBuilder loginHint(String loginHint);
InteractiveBrowserCredentialBuilder browserCustomizationOptions(BrowserCustomizationOptions browserCustomizationOptions);
InteractiveBrowserCredential build();
}
class DeviceCodeCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
Mono<AuthenticationRecord> authenticate(TokenRequestContext request);
Mono<AuthenticationRecord> authenticate();
}
class DeviceCodeCredentialBuilder extends AadCredentialBuilderBase<DeviceCodeCredentialBuilder> {
DeviceCodeCredentialBuilder challengeConsumer(Consumer<DeviceCodeInfo> challengeConsumer);
DeviceCodeCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions);
DeviceCodeCredentialBuilder authenticationRecord(AuthenticationRecord authenticationRecord);
DeviceCodeCredentialBuilder disableAutomaticAuthentication();
DeviceCodeCredential build();
}Interactive User Authentication
Developer Tool Credentials
Authenticate using cached credentials from Azure development tools.
class AzureCliCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class AzureCliCredentialBuilder extends CredentialBuilderBase<AzureCliCredentialBuilder> {
AzureCliCredentialBuilder tenantId(String tenantId);
AzureCliCredentialBuilder processTimeout(Duration processTimeout);
AzureCliCredentialBuilder subscription(String subscription);
AzureCliCredentialBuilder additionallyAllowedTenants(String... additionallyAllowedTenants);
AzureCliCredentialBuilder additionallyAllowedTenants(List<String> additionallyAllowedTenants);
AzureCliCredential build();
}
class AzurePowerShellCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
}
class AzurePowerShellCredentialBuilder extends CredentialBuilderBase<AzurePowerShellCredentialBuilder> {
AzurePowerShellCredentialBuilder tenantId(String tenantId);
AzurePowerShellCredentialBuilder additionallyAllowedTenants(String... additionallyAllowedTenants);
AzurePowerShellCredentialBuilder additionallyAllowedTenants(List<String> additionallyAllowedTenants);
AzurePowerShellCredential build();
}Advanced Authentication Flows
Support for specialized authentication scenarios including on-behalf-of flow and workload identity.
class OnBehalfOfCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class OnBehalfOfCredentialBuilder extends AadCredentialBuilderBase<OnBehalfOfCredentialBuilder> {
OnBehalfOfCredentialBuilder clientSecret(String clientSecret);
OnBehalfOfCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions);
OnBehalfOfCredentialBuilder pemCertificate(String pemCertificatePath);
OnBehalfOfCredentialBuilder pfxCertificate(String pfxCertificatePath);
OnBehalfOfCredentialBuilder clientCertificatePassword(String clientCertificatePassword);
OnBehalfOfCredentialBuilder sendCertificateChain(boolean sendCertificateChain);
OnBehalfOfCredentialBuilder userAssertion(String userAssertion);
OnBehalfOfCredentialBuilder clientAssertion(Supplier<String> clientAssertionSupplier);
OnBehalfOfCredential build();
}
class WorkloadIdentityCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class WorkloadIdentityCredentialBuilder extends AadCredentialBuilderBase<WorkloadIdentityCredentialBuilder> {
WorkloadIdentityCredentialBuilder tokenFilePath(String tokenFilePath);
WorkloadIdentityCredential build();
}Credential Chaining and Customization
Chain multiple credentials together and customize authentication behavior.
class ChainedTokenCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class ChainedTokenCredentialBuilder {
ChainedTokenCredentialBuilder addLast(TokenCredential credential);
ChainedTokenCredential build();
}Environment Variable Authentication
Authenticate using environment variables for service principal credentials. Supports both client secret and client certificate authentication.
class EnvironmentCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class EnvironmentCredentialBuilder extends CredentialBuilderBase<EnvironmentCredentialBuilder> {
EnvironmentCredentialBuilder authorityHost(String authorityHost);
EnvironmentCredentialBuilder executorService(ExecutorService executorService);
EnvironmentCredential build();
}Username Password Authentication
Authenticate using username and password credentials. Deprecated due to lack of multifactor authentication support.
@Deprecated
class UsernamePasswordCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
Mono<AuthenticationRecord> authenticate(TokenRequestContext request);
Mono<AuthenticationRecord> authenticate();
}
@Deprecated
class UsernamePasswordCredentialBuilder extends AadCredentialBuilderBase<UsernamePasswordCredentialBuilder> {
UsernamePasswordCredentialBuilder username(String username);
UsernamePasswordCredentialBuilder password(String password);
UsernamePasswordCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions);
UsernamePasswordCredentialBuilder additionallyAllowedTenants(String... additionallyAllowedTenants);
UsernamePasswordCredentialBuilder additionallyAllowedTenants(List<String> additionallyAllowedTenants);
UsernamePasswordCredential build();
}Username Password Authentication
Client Assertion Authentication
Authenticate using client assertions (JWT bearer tokens) for service principal authentication.
class ClientAssertionCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class ClientAssertionCredentialBuilder extends AadCredentialBuilderBase<ClientAssertionCredentialBuilder> {
ClientAssertionCredentialBuilder clientAssertion(Supplier<String> clientAssertionSupplier);
ClientAssertionCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions);
ClientAssertionCredential build();
}Client Assertion Authentication
Authorization Code Authentication
Authenticate using OAuth 2.0 authorization code flow for web applications.
class AuthorizationCodeCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
}
class AuthorizationCodeCredentialBuilder extends AadCredentialBuilderBase<AuthorizationCodeCredentialBuilder> {
AuthorizationCodeCredentialBuilder authorizationCode(String authCode);
AuthorizationCodeCredentialBuilder redirectUrl(String redirectUrl);
AuthorizationCodeCredentialBuilder clientSecret(String clientSecret);
AuthorizationCodeCredential build();
}Authorization Code Authentication
Azure Developer CLI Authentication
Authenticate using Azure Developer CLI (azd) cached credentials from development environments.
class AzureDeveloperCliCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class AzureDeveloperCliCredentialBuilder extends CredentialBuilderBase<AzureDeveloperCliCredentialBuilder> {
AzureDeveloperCliCredentialBuilder tenantId(String tenantId);
AzureDeveloperCliCredentialBuilder processTimeout(Duration processTimeout);
AzureDeveloperCliCredentialBuilder additionallyAllowedTenants(String... additionallyAllowedTenants);
AzureDeveloperCliCredentialBuilder additionallyAllowedTenants(List<String> additionallyAllowedTenants);
AzureDeveloperCliCredential build();
}Azure Developer CLI Authentication
Azure Pipelines Authentication
Authenticate using Azure Pipelines service connections for CI/CD scenarios.
class AzurePipelinesCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class AzurePipelinesCredentialBuilder extends AadCredentialBuilderBase<AzurePipelinesCredentialBuilder> {
AzurePipelinesCredentialBuilder serviceConnectionId(String serviceConnectionId);
AzurePipelinesCredentialBuilder systemAccessToken(String systemAccessToken);
AzurePipelinesCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions);
AzurePipelinesCredential build();
}Azure Pipelines Authentication
Shared Token Cache Authentication
Legacy mechanism for authenticating using MSAL shared token cache (formerly Visual Studio integration).
class SharedTokenCacheCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
}
class SharedTokenCacheCredentialBuilder extends AadCredentialBuilderBase<SharedTokenCacheCredentialBuilder> {
SharedTokenCacheCredentialBuilder username(String username);
SharedTokenCacheCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions);
SharedTokenCacheCredentialBuilder authenticationRecord(AuthenticationRecord authenticationRecord);
SharedTokenCacheCredential build();
}Shared Token Cache Authentication
Visual Studio Code Authentication
Deprecated authentication using Visual Studio Code Azure Account extension credentials.
@Deprecated
class VisualStudioCodeCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
}
@Deprecated
class VisualStudioCodeCredentialBuilder extends CredentialBuilderBase<VisualStudioCodeCredentialBuilder> {
VisualStudioCodeCredentialBuilder tenantId(String tenantId);
VisualStudioCodeCredentialBuilder additionallyAllowedTenants(String... additionallyAllowedTenants);
VisualStudioCodeCredentialBuilder additionallyAllowedTenants(List<String> additionallyAllowedTenants);
VisualStudioCodeCredential build();
}Visual Studio Code Authentication
Configuration and Utilities
Configuration classes and utility functions for customizing authentication behavior.
class AzureAuthorityHosts {
static final String AZURE_PUBLIC_CLOUD = "https://login.microsoftonline.com/";
static final String AZURE_CHINA = "https://login.chinacloudapi.cn/";
static final String AZURE_GOVERNMENT = "https://login.microsoftonline.us/";
}
class AuthenticationRecord {
String getAuthority();
String getHomeAccountId();
String getTenantId();
String getClientId();
String getUsername();
void serialize(OutputStream outputStream);
static AuthenticationRecord deserialize(InputStream inputStream);
}
class DeviceCodeInfo {
DeviceCodeInfo(String userCode, String deviceCode, String verificationUrl, OffsetDateTime expiresOn, String message);
String getUserCode();
String getDeviceCode();
String getVerificationUrl();
OffsetDateTime getExpiresOn();
String getMessage();
}
class BrowserCustomizationOptions {
BrowserCustomizationOptions();
BrowserCustomizationOptions setSuccessMessage(String successMessage);
BrowserCustomizationOptions setErrorMessage(String errorMessage);
String getSuccessMessage();
String getErrorMessage();
}
class TokenCachePersistenceOptions {
TokenCachePersistenceOptions();
TokenCachePersistenceOptions setUnencryptedStorageAllowed(boolean unencryptedStorageAllowed);
boolean isUnencryptedStorageAllowed();
TokenCachePersistenceOptions setName(String name);
String getName();
}
class AuthenticationUtil {
static Supplier<String> getBearerTokenSupplier(TokenCredential credential, String... scopes);
}
abstract class CredentialBuilderBase<T extends CredentialBuilderBase<T>> {
T maxRetry(int maxRetry);
T retryTimeout(Function<Duration, Duration> retryTimeout);
T httpClient(HttpClient client);
T configuration(Configuration configuration);
T clientOptions(ClientOptions clientOptions);
T httpLogOptions(HttpLogOptions logOptions);
T retryPolicy(RetryPolicy retryPolicy);
T retryOptions(RetryOptions retryOptions);
T addPolicy(HttpPipelinePolicy policy);
T pipeline(HttpPipeline pipeline);
T enableAccountIdentifierLogging();
}
abstract class AadCredentialBuilderBase<T extends AadCredentialBuilderBase<T>> extends CredentialBuilderBase<T> {
T authorityHost(String authorityHost);
T clientId(String clientId);
T tenantId(String tenantId);
T executorService(ExecutorService executorService);
T additionallyAllowedTenants(String... additionallyAllowedTenants);
T additionallyAllowedTenants(List<String> additionallyAllowedTenants);
T disableInstanceDiscovery();
T enableUnsafeSupportLogging();
}Exception Handling
class CredentialUnavailableException extends ClientAuthenticationException {
CredentialUnavailableException(String message);
CredentialUnavailableException(String message, Throwable cause);
}
class AuthenticationRequiredException extends CredentialUnavailableException {
AuthenticationRequiredException(String message, TokenRequestContext request);
AuthenticationRequiredException(String message, TokenRequestContext request, Throwable cause);
TokenRequestContext getTokenRequestContext();
}Types
// From azure-core - key interface implemented by all credentials
interface TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
default AccessToken getTokenSync(TokenRequestContext request);
}
// Token request context specifying the scopes and tenant
class TokenRequestContext {
List<String> getScopes();
String getTenantId();
String getClaims();
}
// Access token with expiration information
class AccessToken {
String getToken();
OffsetDateTime getExpiresAt();
boolean isExpired();
}