CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/maven-com-azure--azure-identity

The Azure Identity library provides Microsoft Entra ID token authentication support across the Azure SDK with a comprehensive set of TokenCredential implementations.

Pending
Overview
Eval results
Files

default-azure-credential.mddocs/

Default Azure Credential

The DefaultAzureCredential is the recommended credential type for most applications. It combines multiple credential types in a chain, attempting each in sequence until one successfully authenticates. This approach simplifies authentication code while supporting both development and production environments.

Credential Chain Order

DefaultAzureCredential tries the following credentials in order:

  1. EnvironmentCredential - Environment variables (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, etc.)
  2. WorkloadIdentityCredential - Azure Kubernetes Service workload identity
  3. ManagedIdentityCredential - Azure managed identity (system or user-assigned)
  4. SharedTokenCacheCredential - Shared token cache from Azure CLI or Visual Studio
  5. IntelliJCredential - Azure Toolkit for IntelliJ
  6. AzureCliCredential - Azure CLI authentication
  7. AzurePowerShellCredential - Azure PowerShell authentication
  8. AzureDeveloperCliCredential - Azure Developer CLI authentication

Basic Usage

import com.azure.identity.DefaultAzureCredential;
import com.azure.identity.DefaultAzureCredentialBuilder;

// Simple usage - use defaults
TokenCredential credential = new DefaultAzureCredentialBuilder().build();

// Use with Azure SDK client
BlobServiceClient client = new BlobServiceClientBuilder()
    .endpoint("https://mystorageaccount.blob.core.windows.net/")
    .credential(credential)
    .buildClient();

Configuration

// Configure specific options
TokenCredential credential = new DefaultAzureCredentialBuilder()
    .authorityHost(AzureAuthorityHosts.AZURE_GOVERNMENT)  // Use government cloud
    .managedIdentityClientId("user-assigned-mi-client-id")  // Specify user-assigned MI
    .tenantId("tenant-id")  // Specify tenant
    .additionallyAllowedTenants("*")  // Allow any tenant
    .build();

Environment Variables

DefaultAzureCredential recognizes these environment variables:

  • AZURE_CLIENT_ID - Client ID for service principal authentication
  • AZURE_CLIENT_SECRET - Client secret for service principal authentication
  • AZURE_CLIENT_CERTIFICATE_PATH - Path to client certificate
  • AZURE_CLIENT_CERTIFICATE_PASSWORD - Certificate password
  • AZURE_TENANT_ID - Azure tenant ID
  • AZURE_AUTHORITY_HOST - Microsoft Entra ID authority host
  • AZURE_USERNAME - Username for username/password authentication
  • AZURE_PASSWORD - Password for username/password authentication

Excluding Credentials

// Exclude specific credential types from the chain
TokenCredential credential = new DefaultAzureCredentialBuilder()
    .excludeEnvironmentCredential()  // Skip environment variables
    .excludeManagedIdentityCredential()  // Skip managed identity
    .excludeSharedTokenCacheCredential()  // Skip shared token cache
    .excludeAzureCliCredential()  // Skip Azure CLI
    .excludeAzurePowerShellCredential()  // Skip Azure PowerShell
    .excludeAzureDeveloperCliCredential()  // Skip Azure Developer CLI
    .excludeIntelliJCredential()  // Skip IntelliJ
    .excludeVisualStudioCodeCredential()  // Skip VS Code
    .build();

Error Handling

try {
    TokenCredential credential = new DefaultAzureCredentialBuilder().build();
    AccessToken token = credential.getTokenSync(
        new TokenRequestContext().addScopes("https://management.azure.com/.default")
    );
    System.out.println("Authentication successful");
} catch (CredentialUnavailableException e) {
    System.err.println("No credential available: " + e.getMessage());
} catch (ClientAuthenticationException e) {
    System.err.println("Authentication failed: " + e.getMessage());
}

API Reference

class DefaultAzureCredential extends ChainedTokenCredential implements TokenCredential {
    // Inherits getToken methods from ChainedTokenCredential
}

class DefaultAzureCredentialBuilder extends CredentialBuilderBase<DefaultAzureCredentialBuilder> {
    // Authority and tenant configuration
    DefaultAzureCredentialBuilder authorityHost(String authorityHost);
    DefaultAzureCredentialBuilder tenantId(String tenantId);
    DefaultAzureCredentialBuilder additionallyAllowedTenants(String... additionallyAllowedTenants);
    DefaultAzureCredentialBuilder additionallyAllowedTenants(List<String> additionallyAllowedTenants);
    
    // Managed identity configuration
    DefaultAzureCredentialBuilder managedIdentityClientId(String clientId);
    DefaultAzureCredentialBuilder managedIdentityResourceId(String resourceId);
    
    // Credential exclusions
    DefaultAzureCredentialBuilder excludeEnvironmentCredential();
    DefaultAzureCredentialBuilder excludeWorkloadIdentityCredential();
    DefaultAzureCredentialBuilder excludeManagedIdentityCredential();
    DefaultAzureCredentialBuilder excludeSharedTokenCacheCredential();
    DefaultAzureCredentialBuilder excludeAzureCliCredential();
    DefaultAzureCredentialBuilder excludeAzurePowerShellCredential();
    DefaultAzureCredentialBuilder excludeAzureDeveloperCliCredential();
    DefaultAzureCredentialBuilder excludeIntelliJCredential();
    DefaultAzureCredentialBuilder excludeVisualStudioCodeCredential();
    
    // Build method
    DefaultAzureCredential build();
}

Best Practices

  1. Use in Production: DefaultAzureCredential is designed for production use and handles multiple authentication scenarios
  2. Environment-Specific Configuration: Configure appropriate exclusions for your deployment environment
  3. Managed Identity First: In Azure environments, ensure managed identity is properly configured as it's more secure than secrets
  4. Development vs Production: Use developer credentials locally, managed identity or service principals in production
  5. Error Handling: Always wrap authentication calls in try-catch blocks to handle credential unavailability
  6. Token Caching: DefaultAzureCredential automatically handles token caching and refresh

Install with Tessl CLI

npx tessl i tessl/maven-com-azure--azure-identity

docs

advanced-authentication-flows.md

authorization-code-authentication.md

azure-developer-cli-authentication.md

azure-pipelines-authentication.md

client-assertion-authentication.md

configuration-and-utilities.md

credential-chaining.md

default-azure-credential.md

developer-tool-credentials.md

environment-credential.md

index.md

interactive-user-authentication.md

managed-identity-credential.md

service-principal-authentication.md

shared-token-cache-authentication.md

username-password-authentication.md

visual-studio-code-authentication.md

tile.json