or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

advanced-authentication-flows.mdauthorization-code-authentication.mdazure-developer-cli-authentication.mdazure-pipelines-authentication.mdclient-assertion-authentication.mdconfiguration-and-utilities.mdcredential-chaining.mddefault-azure-credential.mddeveloper-tool-credentials.mdenvironment-credential.mdindex.mdinteractive-user-authentication.mdmanaged-identity-credential.mdservice-principal-authentication.mdshared-token-cache-authentication.mdusername-password-authentication.mdvisual-studio-code-authentication.md

default-azure-credential.mddocs/

0
# Default Azure Credential
1


2
The DefaultAzureCredential is the recommended credential type for most applications. It combines multiple credential types in a chain, attempting each in sequence until one successfully authenticates. This approach simplifies authentication code while supporting both development and production environments.
3


4
## Credential Chain Order
5


6
DefaultAzureCredential tries the following credentials in order:
7


8
1. **EnvironmentCredential** - Environment variables (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, etc.)
9
2. **WorkloadIdentityCredential** - Azure Kubernetes Service workload identity
10
3. **ManagedIdentityCredential** - Azure managed identity (system or user-assigned)
11
4. **SharedTokenCacheCredential** - Shared token cache from Azure CLI or Visual Studio
12
5. **IntelliJCredential** - Azure Toolkit for IntelliJ
13
6. **AzureCliCredential** - Azure CLI authentication
14
7. **AzurePowerShellCredential** - Azure PowerShell authentication
15
8. **AzureDeveloperCliCredential** - Azure Developer CLI authentication
16


17
## Basic Usage
18


19
```java
20
import com.azure.identity.DefaultAzureCredential;
21
import com.azure.identity.DefaultAzureCredentialBuilder;
22


23
// Simple usage - use defaults
24
TokenCredential credential = new DefaultAzureCredentialBuilder().build();
25


26
// Use with Azure SDK client
27
BlobServiceClient client = new BlobServiceClientBuilder()
28
    .endpoint("https://mystorageaccount.blob.core.windows.net/")
29
    .credential(credential)
30
    .buildClient();
31
```
32


33
## Configuration
34


35
```java
36
// Configure specific options
37
TokenCredential credential = new DefaultAzureCredentialBuilder()
38
    .authorityHost(AzureAuthorityHosts.AZURE_GOVERNMENT)  // Use government cloud
39
    .managedIdentityClientId("user-assigned-mi-client-id")  // Specify user-assigned MI
40
    .tenantId("tenant-id")  // Specify tenant
41
    .additionallyAllowedTenants("*")  // Allow any tenant
42
    .build();
43
```
44


45
## Environment Variables
46


47
DefaultAzureCredential recognizes these environment variables:
48


49
- **AZURE_CLIENT_ID** - Client ID for service principal authentication
50
- **AZURE_CLIENT_SECRET** - Client secret for service principal authentication
51
- **AZURE_CLIENT_CERTIFICATE_PATH** - Path to client certificate
52
- **AZURE_CLIENT_CERTIFICATE_PASSWORD** - Certificate password
53
- **AZURE_TENANT_ID** - Azure tenant ID
54
- **AZURE_AUTHORITY_HOST** - Microsoft Entra ID authority host
55
- **AZURE_USERNAME** - Username for username/password authentication
56
- **AZURE_PASSWORD** - Password for username/password authentication
57


58
## Excluding Credentials
59


60
```java
61
// Exclude specific credential types from the chain
62
TokenCredential credential = new DefaultAzureCredentialBuilder()
63
    .excludeEnvironmentCredential()  // Skip environment variables
64
    .excludeManagedIdentityCredential()  // Skip managed identity
65
    .excludeSharedTokenCacheCredential()  // Skip shared token cache
66
    .excludeAzureCliCredential()  // Skip Azure CLI
67
    .excludeAzurePowerShellCredential()  // Skip Azure PowerShell
68
    .excludeAzureDeveloperCliCredential()  // Skip Azure Developer CLI
69
    .excludeIntelliJCredential()  // Skip IntelliJ
70
    .excludeVisualStudioCodeCredential()  // Skip VS Code
71
    .build();
72
```
73


74
## Error Handling
75


76
```java
77
try {
78
    TokenCredential credential = new DefaultAzureCredentialBuilder().build();
79
    AccessToken token = credential.getTokenSync(
80
        new TokenRequestContext().addScopes("https://management.azure.com/.default")
81
    );
82
    System.out.println("Authentication successful");
83
} catch (CredentialUnavailableException e) {
84
    System.err.println("No credential available: " + e.getMessage());
85
} catch (ClientAuthenticationException e) {
86
    System.err.println("Authentication failed: " + e.getMessage());
87
}
88
```
89


90
## API Reference
91


92
```java { .api }
93
class DefaultAzureCredential extends ChainedTokenCredential implements TokenCredential {
94
    // Inherits getToken methods from ChainedTokenCredential
95
}
96


97
class DefaultAzureCredentialBuilder extends CredentialBuilderBase<DefaultAzureCredentialBuilder> {
98
    // Authority and tenant configuration
99
    DefaultAzureCredentialBuilder authorityHost(String authorityHost);
100
    DefaultAzureCredentialBuilder tenantId(String tenantId);
101
    DefaultAzureCredentialBuilder additionallyAllowedTenants(String... additionallyAllowedTenants);
102
    DefaultAzureCredentialBuilder additionallyAllowedTenants(List<String> additionallyAllowedTenants);
103
    
104
    // Managed identity configuration
105
    DefaultAzureCredentialBuilder managedIdentityClientId(String clientId);
106
    DefaultAzureCredentialBuilder managedIdentityResourceId(String resourceId);
107
    
108
    // Credential exclusions
109
    DefaultAzureCredentialBuilder excludeEnvironmentCredential();
110
    DefaultAzureCredentialBuilder excludeWorkloadIdentityCredential();
111
    DefaultAzureCredentialBuilder excludeManagedIdentityCredential();
112
    DefaultAzureCredentialBuilder excludeSharedTokenCacheCredential();
113
    DefaultAzureCredentialBuilder excludeAzureCliCredential();
114
    DefaultAzureCredentialBuilder excludeAzurePowerShellCredential();
115
    DefaultAzureCredentialBuilder excludeAzureDeveloperCliCredential();
116
    DefaultAzureCredentialBuilder excludeIntelliJCredential();
117
    DefaultAzureCredentialBuilder excludeVisualStudioCodeCredential();
118
    
119
    // Build method
120
    DefaultAzureCredential build();
121
}
122
```
123


124
## Best Practices
125


126
1. **Use in Production**: DefaultAzureCredential is designed for production use and handles multiple authentication scenarios
127
2. **Environment-Specific Configuration**: Configure appropriate exclusions for your deployment environment
128
3. **Managed Identity First**: In Azure environments, ensure managed identity is properly configured as it's more secure than secrets
129
4. **Development vs Production**: Use developer credentials locally, managed identity or service principals in production
130
5. **Error Handling**: Always wrap authentication calls in try-catch blocks to handle credential unavailability
131
6. **Token Caching**: DefaultAzureCredential automatically handles token caching and refresh