Managed Identity authentication provides secure, credential-free authentication for applications running in Azure environments. It eliminates the need to store credentials in code or configuration files by leveraging Azure's managed identity service.
Authenticates using managed identities available in Azure hosting environments including VMs, App Service, Azure Functions, Azure Kubernetes Service, and Azure Service Fabric.
/**
* Attempts authentication using a managed identity available at the deployment environment.
* Works in Azure VMs, App Service instances, Azure Functions applications,
* Azure Kubernetes Services, Azure Service Fabric instances and inside Azure Cloud Shell.
*/
class ManagedIdentityCredential implements TokenCredential {
constructor(clientId: string, options?: TokenCredentialOptions);
constructor(options?: ManagedIdentityCredentialClientIdOptions);
constructor(options?: ManagedIdentityCredentialResourceIdOptions);
constructor(options?: ManagedIdentityCredentialObjectIdOptions);
getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
}
interface ManagedIdentityCredentialClientIdOptions extends TokenCredentialOptions {
/**
* The client ID of the user-assigned managed identity (or app registration when working with AKS pod-identity)
*/
clientId: string;
}
interface ManagedIdentityCredentialResourceIdOptions extends TokenCredentialOptions {
/**
* The resource ID of the user-assigned managed identity
*/
resourceId: string;
}
interface ManagedIdentityCredentialObjectIdOptions extends TokenCredentialOptions {
/**
* The object ID of the user-assigned managed identity
*/
objectId: string;
}Usage Examples:
import { ManagedIdentityCredential } from "@azure/identity";
import { KeyClient } from "@azure/keyvault-keys";
// System-assigned managed identity (no parameters needed)
const systemCredential = new ManagedIdentityCredential();
// User-assigned managed identity with client ID
const userCredential = new ManagedIdentityCredential("12345678-1234-1234-1234-123456789012");
// User-assigned managed identity with options object
const userCredentialWithOptions = new ManagedIdentityCredential({
clientId: "12345678-1234-1234-1234-123456789012"
});
// User-assigned managed identity with resource ID
const resourceCredential = new ManagedIdentityCredential({
resourceId: "/subscriptions/sub/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity"
});
// User-assigned managed identity with object ID
const objectCredential = new ManagedIdentityCredential({
objectId: "12345678-1234-1234-1234-123456789012"
});
// Use with Azure SDK client
const client = new KeyClient("https://vault.vault.azure.net", systemCredential);Managed identity is automatically available on Azure VMs when enabled. The credential uses the Azure Instance Metadata Service (IMDS) endpoint.
// Works automatically on Azure VMs with managed identity enabled
const credential = new ManagedIdentityCredential();Managed identity is available when enabled in the App Service or Function App configuration.
// System-assigned managed identity
const credential = new ManagedIdentityCredential();
// User-assigned managed identity (specify client ID in app settings)
const credential = new ManagedIdentityCredential({
clientId: process.env.AZURE_CLIENT_ID
});Supports both Azure AD Pod Identity and Azure AD Workload Identity.
// Pod Identity with user-assigned managed identity
const credential = new ManagedIdentityCredential({
clientId: "your-managed-identity-client-id"
});
// Workload Identity (uses token exchange)
const credential = new ManagedIdentityCredential();Managed identity can be configured at the container group level.
const credential = new ManagedIdentityCredential();Uses Service Fabric-specific managed identity endpoint.
// Only system-assigned managed identity is supported
// User-assigned identities are not supported in Service Fabric
const credential = new ManagedIdentityCredential();Managed identity is automatically available in Cloud Shell sessions.
// Only system-assigned managed identity is supported
// User-assigned identities will throw an error in Cloud Shell
const credential = new ManagedIdentityCredential();Every Azure resource can have at most one system-assigned managed identity. No configuration is needed.
const credential = new ManagedIdentityCredential();Azure resources can have multiple user-assigned managed identities. You must specify which one to use.
By Client ID:
const credential = new ManagedIdentityCredential({
clientId: "12345678-1234-1234-1234-123456789012"
});By Resource ID:
const credential = new ManagedIdentityCredential({
resourceId: "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity"
});By Object ID:
const credential = new ManagedIdentityCredential({
objectId: "12345678-1234-1234-1234-123456789012"
});import { CredentialUnavailableError, AuthenticationError } from "@azure/identity";
try {
const credential = new ManagedIdentityCredential();
const token = await credential.getToken("https://graph.microsoft.com/.default");
} catch (error) {
if (error instanceof CredentialUnavailableError) {
// Managed identity is not available in this environment
console.log("Managed identity not available:", error.message);
} else if (error instanceof AuthenticationError) {
// Authentication failed (e.g., insufficient permissions)
console.log("Authentication failed:", error.message);
}
}Cloud Shell with User-Assigned Identity:
// This will throw an error
try {
const credential = new ManagedIdentityCredential({
clientId: "some-client-id"
});
} catch (error) {
// CredentialUnavailableError: Specifying a user-assigned managed identity
// is not supported for CloudShell at runtime
}Service Fabric with User-Assigned Identity:
// This will throw an error
try {
const credential = new ManagedIdentityCredential({
clientId: "some-client-id"
});
} catch (error) {
// CredentialUnavailableError: Service Fabric MSI does not support
// specifying user-assigned managed identity by client ID or resource ID
}ManagedIdentityCredential probes the IMDS endpoint before making token requests to fail fast in environments where managed identity is not available.
// The credential will quickly determine if managed identity is available
const credential = new ManagedIdentityCredential();
// If IMDS is not reachable, this will fail quickly with CredentialUnavailableError
try {
const token = await credential.getToken("https://vault.vault.azure.net/.default");
} catch (error) {
// Handle unavailable managed identity
}In AKS environments with workload identity, the credential automatically detects and uses token exchange flow for improved security.
// Automatically uses token exchange in AKS workload identity scenarios
const credential = new ManagedIdentityCredential();ManagedIdentityCredential is automatically included in DefaultAzureCredential's chain:
import { DefaultAzureCredential } from "@azure/identity";
// This will try ManagedIdentityCredential along with other credential types
const credential = new DefaultAzureCredential();
// Specify managed identity client ID for DefaultAzureCredential
const credential = new DefaultAzureCredential({
managedIdentityClientId: "12345678-1234-1234-1234-123456789012"
});
// Specify managed identity resource ID for DefaultAzureCredential
const credential = new DefaultAzureCredential({
managedIdentityResourceId: "/subscriptions/sub/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity"
});