or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

advanced-authentication-flows.mddefault-authentication.mddeveloper-tool-authentication.mdindex.mdinteractive-authentication.mdmanaged-identity-authentication.mdservice-principal-authentication.mdtoken-provider-integration.md
tile.json

default-authentication.mddocs/

Default Authentication

DefaultAzureCredential provides simplified authentication that automatically tries multiple credential types in a predefined sequence. It's designed to work seamlessly across development and production environments without code changes.

Capabilities

DefaultAzureCredential

The primary credential for most Azure authentication scenarios. It attempts credentials in this order: EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential, VisualStudioCodeCredential, AzureCliCredential, AzurePowerShellCredential, AzureDeveloperCliCredential, and BrokerCredential.

/**
 * Provides a default ChainedTokenCredential configuration for most applications
 * Tries multiple credential types in sequence until one succeeds
 */
class DefaultAzureCredential extends ChainedTokenCredential {
  constructor(options?: DefaultAzureCredentialOptions);
  constructor(options?: DefaultAzureCredentialClientIdOptions);
  constructor(options?: DefaultAzureCredentialResourceIdOptions);
  getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
}

interface DefaultAzureCredentialOptions extends TokenCredentialOptions {
  /**
   * Credentials to exclude from the default credential chain
   */
  excludedCredentials?: ("EnvironmentCredential" | "ManagedIdentityCredential" | "AzureCliCredential" | "AzurePowerShellCredential" | "AzureDeveloperCliCredential" | "VisualStudioCodeCredential" | "WorkloadIdentityCredential" | "BrokerCredential")[];
  
  /**
   * Managed identity client ID to use when authenticating
   */
  managedIdentityClientId?: string;
  
  /**
   * Workload identity client ID
   */
  workloadIdentityClientId?: string;
  
  /**
   * Tenant ID for multi-tenant authentication
   */
  tenantId?: string;
  
  /**
   * Process timeout for developer credential tools
   */
  processTimeoutInMs?: number;
  
  /**
   * Interactive browser credential options when credential fails
   */
  interactiveBrowserCredentialOptions?: InteractiveBrowserCredentialNodeOptions;
}

interface DefaultAzureCredentialClientIdOptions extends DefaultAzureCredentialOptions {
  /**
   * Client ID for user-assigned managed identity authentication
   */
  managedIdentityClientId: string;
}

interface DefaultAzureCredentialResourceIdOptions extends DefaultAzureCredentialOptions {
  /**
   * Resource ID for user-assigned managed identity authentication  
   */
  managedIdentityResourceId: string;
}

Usage Examples:

import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient } from "@azure/keyvault-keys";

// Basic usage - tries all credential types
const credential = new DefaultAzureCredential();
const client = new KeyClient("https://vault.vault.azure.net", credential);

// With client ID for user-assigned managed identity
const credentialWithClientId = new DefaultAzureCredential({
  managedIdentityClientId: "12345678-1234-1234-1234-123456789012"
});

// Exclude specific credential types
const credentialExcluding = new DefaultAzureCredential({
  excludedCredentials: ["AzureCliCredential", "AzurePowerShellCredential"]
});

// With custom tenant ID
const credentialWithTenant = new DefaultAzureCredential({
  tenantId: "12345678-1234-1234-1234-123456789012"
});

Factory Function

Convenience function that returns a new DefaultAzureCredential instance.

/**
 * Returns a new instance of DefaultAzureCredential
 * @returns New DefaultAzureCredential instance with default configuration
 */
function getDefaultAzureCredential(): TokenCredential;

Usage Example:

import { getDefaultAzureCredential } from "@azure/identity";

// Equivalent to new DefaultAzureCredential()
const credential = getDefaultAzureCredential();

Credential Chain Sequence

DefaultAzureCredential attempts authentication in this specific order:

  1. EnvironmentCredential - Reads authentication details from environment variables
  2. WorkloadIdentityCredential - Uses workload identity in Kubernetes environments
  3. ManagedIdentityCredential - Uses managed identity in Azure hosting environments
  4. VisualStudioCodeCredential - Uses VS Code Azure extension authentication
  5. AzureCliCredential - Uses Azure CLI logged-in user
  6. AzurePowerShellCredential - Uses Azure PowerShell logged-in user
  7. AzureDeveloperCliCredential - Uses Azure Developer CLI logged-in user
  8. BrokerCredential - Uses native OS broker (requires plugin)

The credential chain stops at the first successful authentication. If all credentials fail, an AggregateAuthenticationError is thrown containing details of all failures.

Environment Variables

DefaultAzureCredential recognizes these environment variables when using EnvironmentCredential:

interface DefaultAzureCredentialEnvVars {
  readonly AZURE_CLIENT_ID: "AZURE_CLIENT_ID";
  readonly AZURE_CLIENT_SECRET: "AZURE_CLIENT_SECRET";  
  readonly AZURE_CLIENT_CERTIFICATE_PATH: "AZURE_CLIENT_CERTIFICATE_PATH";
  readonly AZURE_CLIENT_CERTIFICATE_PASSWORD: "AZURE_CLIENT_CERTIFICATE_PASSWORD";
  readonly AZURE_TENANT_ID: "AZURE_TENANT_ID";
  readonly AZURE_USERNAME: "AZURE_USERNAME";
  readonly AZURE_PASSWORD: "AZURE_PASSWORD";
  readonly AZURE_ADDITIONALLY_ALLOWED_TENANTS: "AZURE_ADDITIONALLY_ALLOWED_TENANTS";
  readonly AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: "AZURE_CLIENT_SEND_CERTIFICATE_CHAIN";
  readonly AZURE_FEDERATED_TOKEN_FILE: "AZURE_FEDERATED_TOKEN_FILE";
  readonly AZURE_AUTHORITY_HOST: "AZURE_AUTHORITY_HOST";
  readonly AZURE_DISABLE_INSTANCE_DISCOVERY: "AZURE_DISABLE_INSTANCE_DISCOVERY";
}

Common Patterns

Production Deployment

// In production, typically uses ManagedIdentityCredential automatically
const credential = new DefaultAzureCredential();

// For user-assigned managed identity in production
const credential = new DefaultAzureCredential({
  managedIdentityClientId: process.env.AZURE_CLIENT_ID
});

Local Development

// During development, typically uses AzureCliCredential or VisualStudioCodeCredential
const credential = new DefaultAzureCredential();

// Can exclude cloud-specific credentials during development
const credential = new DefaultAzureCredential({
  excludedCredentials: ["ManagedIdentityCredential", "WorkloadIdentityCredential"]
});

Multi-Tenant Scenarios

// Specify tenant for organization-specific authentication
const credential = new DefaultAzureCredential({
  tenantId: "your-tenant-id"
});