Developer tool authentication enables seamless authentication using credentials from installed development tools. These credentials are ideal for local development scenarios and provide a smooth development experience without requiring separate credential management.
Authenticate using the signed-in user from Azure CLI. This credential leverages the az command-line tool's cached authentication.
/**
* Enables authentication to Microsoft Entra ID using the Azure CLI's cached credentials
* Uses the account logged in via 'az login' command
*/
class AzureCliCredential implements TokenCredential {
constructor(options?: AzureCliCredentialOptions);
getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
}
interface AzureCliCredentialOptions extends TokenCredentialOptions {
/**
* The tenant ID to use for authentication
*/
tenantId?: string;
/**
* Timeout for the CLI process in milliseconds
*/
processTimeoutInMs?: number;
/**
* Allows specification of additional tenant IDs for multi-tenant authentication
*/
additionallyAllowedTenants?: string[];
}Usage Examples:
import { AzureCliCredential } from "@azure/identity";
// Basic Azure CLI authentication
const credential = new AzureCliCredential();
// With specific tenant
const credentialWithTenant = new AzureCliCredential({
tenantId: "12345678-1234-1234-1234-123456789012"
});
// With custom timeout
const credentialWithTimeout = new AzureCliCredential({
processTimeoutInMs: 30000 // 30 seconds
});
// Get token
const token = await credential.getToken("https://graph.microsoft.com/.default");Prerequisites:
az command available)az loginAuthenticate using the signed-in user from Azure PowerShell. This credential leverages PowerShell's Connect-AzAccount cached authentication.
/**
* Enables authentication to Microsoft Entra ID using Azure PowerShell's cached credentials
* Uses the account connected via 'Connect-AzAccount' cmdlet
*/
class AzurePowerShellCredential implements TokenCredential {
constructor(options?: AzurePowerShellCredentialOptions);
getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
}
interface AzurePowerShellCredentialOptions extends TokenCredentialOptions {
/**
* The tenant ID to use for authentication
*/
tenantId?: string;
/**
* Timeout for the PowerShell process in milliseconds
*/
processTimeoutInMs?: number;
/**
* Allows specification of additional tenant IDs for multi-tenant authentication
*/
additionallyAllowedTenants?: string[];
}Usage Examples:
import { AzurePowerShellCredential } from "@azure/identity";
// Basic Azure PowerShell authentication
const credential = new AzurePowerShellCredential();
// With specific tenant
const credentialWithTenant = new AzurePowerShellCredential({
tenantId: "12345678-1234-1234-1234-123456789012"
});
// With custom timeout
const credentialWithTimeout = new AzurePowerShellCredential({
processTimeoutInMs: 45000 // 45 seconds
});
// Get token
const token = await credential.getToken("https://management.azure.com/.default");Prerequisites:
Connect-AzAccountAuthenticate using the signed-in user from Azure Developer CLI. This credential uses the azd tool's cached authentication.
/**
* Enables authentication to Microsoft Entra ID using Azure Developer CLI's cached credentials
* Uses the account logged in via 'azd auth login' command
*/
class AzureDeveloperCliCredential implements TokenCredential {
constructor(options?: AzureDeveloperCliCredentialOptions);
getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
}
interface AzureDeveloperCliCredentialOptions extends TokenCredentialOptions {
/**
* The tenant ID to use for authentication
*/
tenantId?: string;
/**
* Timeout for the CLI process in milliseconds
*/
processTimeoutInMs?: number;
/**
* Allows specification of additional tenant IDs for multi-tenant authentication
*/
additionallyAllowedTenants?: string[];
}Usage Examples:
import { AzureDeveloperCliCredential } from "@azure/identity";
// Basic Azure Developer CLI authentication
const credential = new AzureDeveloperCliCredential();
// With specific tenant
const credentialWithTenant = new AzureDeveloperCliCredential({
tenantId: "12345678-1234-1234-1234-123456789012"
});
// With custom timeout
const credentialWithTimeout = new AzureDeveloperCliCredential({
processTimeoutInMs: 20000 // 20 seconds
});
// Get token
const token = await credential.getToken("https://graph.microsoft.com/.default");Prerequisites:
azd command available)azd auth loginAuthenticate using the signed-in user from Visual Studio Code Azure extension. This credential requires the VS Code plugin to be installed and configured.
/**
* Enables authentication to Microsoft Entra ID using Visual Studio Code's
* Azure Account extension cached credentials
*/
class VisualStudioCodeCredential implements TokenCredential {
constructor(options?: VisualStudioCodeCredentialOptions);
getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
}
interface VisualStudioCodeCredentialOptions extends TokenCredentialOptions {
/**
* The tenant ID to use for authentication
*/
tenantId?: string;
/**
* The client ID for the VS Code Azure extension
*/
clientId?: string;
}Usage Examples:
import { VisualStudioCodeCredential, useIdentityPlugin } from "@azure/identity";
import { vsCodePlugin } from "@azure/identity-vscode";
// Configure the VS Code plugin
useIdentityPlugin(vsCodePlugin);
// Basic VS Code authentication
const credential = new VisualStudioCodeCredential();
// With specific tenant
const credentialWithTenant = new VisualStudioCodeCredential({
tenantId: "12345678-1234-1234-1234-123456789012"
});
// Get token
const token = await credential.getToken("https://graph.microsoft.com/.default");Prerequisites:
@azure/identity-vscode package installeduseIdentityPlugin(vsCodePlugin)Developer tool credentials can be configured using environment variables:
AZURE_TENANT_ID - Specify tenant IDAZURE_ADDITIONALLY_ALLOWED_TENANTS - Additional allowed tenantsAZURE_TENANT_ID - Specify tenant IDAZURE_ADDITIONALLY_ALLOWED_TENANTS - Additional allowed tenantsAZURE_TENANT_ID - Specify tenant IDAZURE_ADDITIONALLY_ALLOWED_TENANTS - Additional allowed tenantsThe VS Code credential requires a separate plugin package:
import { useIdentityPlugin } from "@azure/identity";
import { vsCodePlugin } from "@azure/identity-vscode";
// Must be called before using VisualStudioCodeCredential
useIdentityPlugin(vsCodePlugin);/**
* Configures plugins for the @azure/identity package
* @param plugin - The plugin to configure
*/
function useIdentityPlugin(plugin: IdentityPlugin): void;
interface IdentityPlugin {
name: string;
// Plugin-specific implementation details
}import { CredentialUnavailableError } from "@azure/identity";
try {
const credential = new AzureCliCredential();
const token = await credential.getToken("https://graph.microsoft.com/.default");
} catch (error) {
if (error instanceof CredentialUnavailableError) {
// Tool not installed, not logged in, or process failed
console.log("Azure CLI credential not available:", error.message);
}
}Azure CLI Not Available:
// Throws CredentialUnavailableError if:
// - Azure CLI not installed
// - Not logged in (az login required)
// - CLI process times out
// - Invalid tenant specifiedAzure PowerShell Not Available:
// Throws CredentialUnavailableError if:
// - Azure PowerShell not installed
// - Not connected (Connect-AzAccount required)
// - PowerShell process times out
// - Invalid tenant specifiedVS Code Not Available:
// Throws CredentialUnavailableError if:
// - VS Code not installed
// - Azure Account extension not installed
// - Plugin not configured
// - Not signed in through VS CodeAll developer tool credentials are automatically included in DefaultAzureCredential's chain:
import { DefaultAzureCredential } from "@azure/identity";
// This will try all developer tool credentials along with others
const credential = new DefaultAzureCredential();
// Exclude specific developer tools
const credential = new DefaultAzureCredential({
excludedCredentials: ["AzureCliCredential", "AzurePowerShellCredential"]
});
// Set process timeout for all developer tool credentials
const credential = new DefaultAzureCredential({
processTimeoutInMs: 30000
});// Development: Use DefaultAzureCredential for flexibility
const credential = new DefaultAzureCredential();
// Production: Exclude developer tools for security
const productionCredential = new DefaultAzureCredential({
excludedCredentials: [
"AzureCliCredential",
"AzurePowerShellCredential",
"AzureDeveloperCliCredential",
"VisualStudioCodeCredential"
]
});// Set appropriate timeouts for your environment
const credential = new AzureCliCredential({
processTimeoutInMs: 10000 // 10 seconds for fast networks
});
const slowNetworkCredential = new AzureCliCredential({
processTimeoutInMs: 60000 // 60 seconds for slow networks
});// Allow access to additional tenants
const credential = new AzureCliCredential({
additionallyAllowedTenants: ["*"] // Allow any tenant
});
const specificTenants = new AzureCliCredential({
additionallyAllowedTenants: [
"tenant-1-id",
"tenant-2-id"
]
});