or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

advanced-authentication-flows.mdauthorization-code-authentication.mdazure-developer-cli-authentication.mdazure-pipelines-authentication.mdclient-assertion-authentication.mdconfiguration-and-utilities.mdcredential-chaining.mddefault-azure-credential.mddeveloper-tool-credentials.mdenvironment-credential.mdindex.mdinteractive-user-authentication.mdmanaged-identity-credential.mdservice-principal-authentication.mdshared-token-cache-authentication.mdusername-password-authentication.mdvisual-studio-code-authentication.md

default-azure-credential.mddocs/

0

# Default Azure Credential

1

2

The DefaultAzureCredential is the recommended credential type for most applications. It combines multiple credential types in a chain, attempting each in sequence until one successfully authenticates. This approach simplifies authentication code while supporting both development and production environments.

3

4

## Credential Chain Order

5

6

DefaultAzureCredential tries the following credentials in order:

7

8

1. **EnvironmentCredential** - Environment variables (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, etc.)

9

2. **WorkloadIdentityCredential** - Azure Kubernetes Service workload identity

10

3. **ManagedIdentityCredential** - Azure managed identity (system or user-assigned)

11

4. **SharedTokenCacheCredential** - Shared token cache from Azure CLI or Visual Studio

12

5. **IntelliJCredential** - Azure Toolkit for IntelliJ

13

6. **AzureCliCredential** - Azure CLI authentication

14

7. **AzurePowerShellCredential** - Azure PowerShell authentication

15

8. **AzureDeveloperCliCredential** - Azure Developer CLI authentication

16

17

## Basic Usage

18

19

```java

20

import com.azure.identity.DefaultAzureCredential;

21

import com.azure.identity.DefaultAzureCredentialBuilder;

22

23

// Simple usage - use defaults

24

TokenCredential credential = new DefaultAzureCredentialBuilder().build();

25

26

// Use with Azure SDK client

27

BlobServiceClient client = new BlobServiceClientBuilder()

28

.endpoint("https://mystorageaccount.blob.core.windows.net/")

29

.credential(credential)

30

.buildClient();

31

```

32

33

## Configuration

34

35

```java

36

// Configure specific options

37

TokenCredential credential = new DefaultAzureCredentialBuilder()

38

.authorityHost(AzureAuthorityHosts.AZURE_GOVERNMENT) // Use government cloud

39

.managedIdentityClientId("user-assigned-mi-client-id") // Specify user-assigned MI

40

.tenantId("tenant-id") // Specify tenant

41

.additionallyAllowedTenants("*") // Allow any tenant

42

.build();

43

```

44

45

## Environment Variables

46

47

DefaultAzureCredential recognizes these environment variables:

48

49

- **AZURE_CLIENT_ID** - Client ID for service principal authentication

50

- **AZURE_CLIENT_SECRET** - Client secret for service principal authentication

51

- **AZURE_CLIENT_CERTIFICATE_PATH** - Path to client certificate

52

- **AZURE_CLIENT_CERTIFICATE_PASSWORD** - Certificate password

53

- **AZURE_TENANT_ID** - Azure tenant ID

54

- **AZURE_AUTHORITY_HOST** - Microsoft Entra ID authority host

55

- **AZURE_USERNAME** - Username for username/password authentication

56

- **AZURE_PASSWORD** - Password for username/password authentication

57

58

## Excluding Credentials

59

60

```java

61

// Exclude specific credential types from the chain

62

TokenCredential credential = new DefaultAzureCredentialBuilder()

63

.excludeEnvironmentCredential() // Skip environment variables

64

.excludeManagedIdentityCredential() // Skip managed identity

65

.excludeSharedTokenCacheCredential() // Skip shared token cache

66

.excludeAzureCliCredential() // Skip Azure CLI

67

.excludeAzurePowerShellCredential() // Skip Azure PowerShell

68

.excludeAzureDeveloperCliCredential() // Skip Azure Developer CLI

69

.excludeIntelliJCredential() // Skip IntelliJ

70

.excludeVisualStudioCodeCredential() // Skip VS Code

71

.build();

72

```

73

74

## Error Handling

75

76

```java

77

try {

78

TokenCredential credential = new DefaultAzureCredentialBuilder().build();

79

AccessToken token = credential.getTokenSync(

80

new TokenRequestContext().addScopes("https://management.azure.com/.default")

81

);

82

System.out.println("Authentication successful");

83

} catch (CredentialUnavailableException e) {

84

System.err.println("No credential available: " + e.getMessage());

85

} catch (ClientAuthenticationException e) {

86

System.err.println("Authentication failed: " + e.getMessage());

87

}

88

```

89

90

## API Reference

91

92

```java { .api }

93

class DefaultAzureCredential extends ChainedTokenCredential implements TokenCredential {

94

// Inherits getToken methods from ChainedTokenCredential

95

}

96

97

class DefaultAzureCredentialBuilder extends CredentialBuilderBase<DefaultAzureCredentialBuilder> {

98

// Authority and tenant configuration

99

DefaultAzureCredentialBuilder authorityHost(String authorityHost);

100

DefaultAzureCredentialBuilder tenantId(String tenantId);

101

DefaultAzureCredentialBuilder additionallyAllowedTenants(String... additionallyAllowedTenants);

102

DefaultAzureCredentialBuilder additionallyAllowedTenants(List<String> additionallyAllowedTenants);

103

104

// Managed identity configuration

105

DefaultAzureCredentialBuilder managedIdentityClientId(String clientId);

106

DefaultAzureCredentialBuilder managedIdentityResourceId(String resourceId);

107

108

// Credential exclusions

109

DefaultAzureCredentialBuilder excludeEnvironmentCredential();

110

DefaultAzureCredentialBuilder excludeWorkloadIdentityCredential();

111

DefaultAzureCredentialBuilder excludeManagedIdentityCredential();

112

DefaultAzureCredentialBuilder excludeSharedTokenCacheCredential();

113

DefaultAzureCredentialBuilder excludeAzureCliCredential();

114

DefaultAzureCredentialBuilder excludeAzurePowerShellCredential();

115

DefaultAzureCredentialBuilder excludeAzureDeveloperCliCredential();

116

DefaultAzureCredentialBuilder excludeIntelliJCredential();

117

DefaultAzureCredentialBuilder excludeVisualStudioCodeCredential();

118

119

// Build method

120

DefaultAzureCredential build();

121

}

122

```

123

124

## Best Practices

125

126

1. **Use in Production**: DefaultAzureCredential is designed for production use and handles multiple authentication scenarios

127

2. **Environment-Specific Configuration**: Configure appropriate exclusions for your deployment environment

128

3. **Managed Identity First**: In Azure environments, ensure managed identity is properly configured as it's more secure than secrets

129

4. **Development vs Production**: Use developer credentials locally, managed identity or service principals in production

130

5. **Error Handling**: Always wrap authentication calls in try-catch blocks to handle credential unavailability

131

6. **Token Caching**: DefaultAzureCredential automatically handles token caching and refresh