Azure Identity Java SDK for authentication with Azure services. Use when implementing DefaultAzureCredential, managed identity, service principal, or any Azure authentication pattern in Java applications.
Add this skill
npx mdskills install sickn33/azure-identity-javaComprehensive reference guide with excellent code examples and credential selection matrix
1---2name: azure-identity-java3description: Azure Identity Java SDK for authentication with Azure services. Use when implementing DefaultAzureCredential, managed identity, service principal, or any Azure authentication pattern in Java applications.4package: com.azure:azure-identity5---67# Azure Identity (Java)89Authenticate Java applications with Azure services using Microsoft Entra ID (Azure AD).1011## Installation1213```xml14<dependency>15 <groupId>com.azure</groupId>16 <artifactId>azure-identity</artifactId>17 <version>1.15.0</version>18</dependency>19```2021## Key Concepts2223| Credential | Use Case |24|------------|----------|25| `DefaultAzureCredential` | **Recommended** - Works in dev and production |26| `ManagedIdentityCredential` | Azure-hosted apps (App Service, Functions, VMs) |27| `EnvironmentCredential` | CI/CD pipelines with env vars |28| `ClientSecretCredential` | Service principals with secret |29| `ClientCertificateCredential` | Service principals with certificate |30| `AzureCliCredential` | Local dev using `az login` |31| `InteractiveBrowserCredential` | Interactive login flow |32| `DeviceCodeCredential` | Headless device authentication |3334## DefaultAzureCredential (Recommended)3536The `DefaultAzureCredential` tries multiple authentication methods in order:37381. Environment variables392. Workload Identity403. Managed Identity414. Azure CLI425. Azure PowerShell436. Azure Developer CLI4445```java46import com.azure.identity.DefaultAzureCredential;47import com.azure.identity.DefaultAzureCredentialBuilder;4849// Simple usage50DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();5152// Use with any Azure client53BlobServiceClient blobClient = new BlobServiceClientBuilder()54 .endpoint("https://<storage-account>.blob.core.windows.net")55 .credential(credential)56 .buildClient();5758KeyClient keyClient = new KeyClientBuilder()59 .vaultUrl("https://<vault-name>.vault.azure.net")60 .credential(credential)61 .buildClient();62```6364### Configure DefaultAzureCredential6566```java67DefaultAzureCredential credential = new DefaultAzureCredentialBuilder()68 .managedIdentityClientId("<user-assigned-identity-client-id>") // For user-assigned MI69 .tenantId("<tenant-id>") // Limit to specific tenant70 .excludeEnvironmentCredential() // Skip env vars71 .excludeAzureCliCredential() // Skip Azure CLI72 .build();73```7475## Managed Identity7677For Azure-hosted applications (App Service, Functions, AKS, VMs).7879```java80import com.azure.identity.ManagedIdentityCredential;81import com.azure.identity.ManagedIdentityCredentialBuilder;8283// System-assigned managed identity84ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()85 .build();8687// User-assigned managed identity (by client ID)88ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()89 .clientId("<user-assigned-client-id>")90 .build();9192// User-assigned managed identity (by resource ID)93ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()94 .resourceId("/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>")95 .build();96```9798## Service Principal with Secret99100```java101import com.azure.identity.ClientSecretCredential;102import com.azure.identity.ClientSecretCredentialBuilder;103104ClientSecretCredential credential = new ClientSecretCredentialBuilder()105 .tenantId("<tenant-id>")106 .clientId("<client-id>")107 .clientSecret("<client-secret>")108 .build();109```110111## Service Principal with Certificate112113```java114import com.azure.identity.ClientCertificateCredential;115import com.azure.identity.ClientCertificateCredentialBuilder;116117// From PEM file118ClientCertificateCredential credential = new ClientCertificateCredentialBuilder()119 .tenantId("<tenant-id>")120 .clientId("<client-id>")121 .pemCertificate("<path-to-cert.pem>")122 .build();123124// From PFX file with password125ClientCertificateCredential credential = new ClientCertificateCredentialBuilder()126 .tenantId("<tenant-id>")127 .clientId("<client-id>")128 .pfxCertificate("<path-to-cert.pfx>", "<pfx-password>")129 .build();130131// Send certificate chain for SNI132ClientCertificateCredential credential = new ClientCertificateCredentialBuilder()133 .tenantId("<tenant-id>")134 .clientId("<client-id>")135 .pemCertificate("<path-to-cert.pem>")136 .sendCertificateChain(true)137 .build();138```139140## Environment Credential141142Reads credentials from environment variables.143144```java145import com.azure.identity.EnvironmentCredential;146import com.azure.identity.EnvironmentCredentialBuilder;147148EnvironmentCredential credential = new EnvironmentCredentialBuilder().build();149```150151### Required Environment Variables152153**For service principal with secret:**154```bash155AZURE_TENANT_ID=<tenant-id>156AZURE_CLIENT_ID=<client-id>157AZURE_CLIENT_SECRET=<client-secret>158```159160**For service principal with certificate:**161```bash162AZURE_TENANT_ID=<tenant-id>163AZURE_CLIENT_ID=<client-id>164AZURE_CLIENT_CERTIFICATE_PATH=/path/to/cert.pem165AZURE_CLIENT_CERTIFICATE_PASSWORD=<optional-password>166```167168**For username/password:**169```bash170AZURE_TENANT_ID=<tenant-id>171AZURE_CLIENT_ID=<client-id>172AZURE_USERNAME=<username>173AZURE_PASSWORD=<password>174```175176## Azure CLI Credential177178For local development using `az login`.179180```java181import com.azure.identity.AzureCliCredential;182import com.azure.identity.AzureCliCredentialBuilder;183184AzureCliCredential credential = new AzureCliCredentialBuilder()185 .tenantId("<tenant-id>") // Optional: specific tenant186 .build();187```188189## Interactive Browser190191For desktop applications requiring user login.192193```java194import com.azure.identity.InteractiveBrowserCredential;195import com.azure.identity.InteractiveBrowserCredentialBuilder;196197InteractiveBrowserCredential credential = new InteractiveBrowserCredentialBuilder()198 .clientId("<client-id>")199 .redirectUrl("http://localhost:8080") // Must match app registration200 .build();201```202203## Device Code204205For headless devices (IoT, CLI tools).206207```java208import com.azure.identity.DeviceCodeCredential;209import com.azure.identity.DeviceCodeCredentialBuilder;210211DeviceCodeCredential credential = new DeviceCodeCredentialBuilder()212 .clientId("<client-id>")213 .challengeConsumer(challenge -> {214 // Display to user215 System.out.println(challenge.getMessage());216 })217 .build();218```219220## Chained Credential221222Create custom authentication chains.223224```java225import com.azure.identity.ChainedTokenCredential;226import com.azure.identity.ChainedTokenCredentialBuilder;227228ChainedTokenCredential credential = new ChainedTokenCredentialBuilder()229 .addFirst(new ManagedIdentityCredentialBuilder().build())230 .addLast(new AzureCliCredentialBuilder().build())231 .build();232```233234## Workload Identity (AKS)235236For Azure Kubernetes Service with workload identity.237238```java239import com.azure.identity.WorkloadIdentityCredential;240import com.azure.identity.WorkloadIdentityCredentialBuilder;241242// Reads from AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE243WorkloadIdentityCredential credential = new WorkloadIdentityCredentialBuilder().build();244245// Or explicit configuration246WorkloadIdentityCredential credential = new WorkloadIdentityCredentialBuilder()247 .tenantId("<tenant-id>")248 .clientId("<client-id>")249 .tokenFilePath("/var/run/secrets/azure/tokens/azure-identity-token")250 .build();251```252253## Token Caching254255Enable persistent token caching for better performance.256257```java258// Enable token caching (in-memory by default)259DefaultAzureCredential credential = new DefaultAzureCredentialBuilder()260 .enableAccountIdentifierLogging()261 .build();262263// With shared token cache (for multi-credential scenarios)264SharedTokenCacheCredential credential = new SharedTokenCacheCredentialBuilder()265 .clientId("<client-id>")266 .build();267```268269## Sovereign Clouds270271```java272import com.azure.identity.AzureAuthorityHosts;273274// Azure Government275DefaultAzureCredential govCredential = new DefaultAzureCredentialBuilder()276 .authorityHost(AzureAuthorityHosts.AZURE_GOVERNMENT)277 .build();278279// Azure China280DefaultAzureCredential chinaCredential = new DefaultAzureCredentialBuilder()281 .authorityHost(AzureAuthorityHosts.AZURE_CHINA)282 .build();283```284285## Error Handling286287```java288import com.azure.identity.CredentialUnavailableException;289import com.azure.core.exception.ClientAuthenticationException;290291try {292 DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();293 AccessToken token = credential.getToken(new TokenRequestContext()294 .addScopes("https://management.azure.com/.default"));295} catch (CredentialUnavailableException e) {296 // No credential could authenticate297 System.out.println("Authentication failed: " + e.getMessage());298} catch (ClientAuthenticationException e) {299 // Authentication error (wrong credentials, expired, etc.)300 System.out.println("Auth error: " + e.getMessage());301}302```303304## Logging305306Enable authentication logging for debugging.307308```java309// Via environment variable310// AZURE_LOG_LEVEL=verbose311312// Or programmatically313DefaultAzureCredential credential = new DefaultAzureCredentialBuilder()314 .enableAccountIdentifierLogging() // Log account info315 .build();316```317318## Environment Variables319320```bash321# DefaultAzureCredential configuration322AZURE_TENANT_ID=<tenant-id>323AZURE_CLIENT_ID=<client-id>324AZURE_CLIENT_SECRET=<client-secret>325326# Managed Identity327AZURE_CLIENT_ID=<user-assigned-mi-client-id>328329# Workload Identity (AKS)330AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token331332# Logging333AZURE_LOG_LEVEL=verbose334335# Authority host336AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/337```338339## Best Practices3403411. **Use DefaultAzureCredential** - Works seamlessly from dev to production3422. **Managed Identity in Production** - No secrets to manage, automatic rotation3433. **Azure CLI for Local Dev** - Run `az login` before running your app3444. **Least Privilege** - Grant only required permissions to service principals3455. **Token Caching** - Enabled by default, reduces auth round-trips3466. **Environment Variables** - Use for CI/CD, not hardcoded secrets347348## Credential Selection Matrix349350| Environment | Recommended Credential |351|-------------|----------------------|352| Local Development | `DefaultAzureCredential` (uses Azure CLI) |353| Azure App Service | `DefaultAzureCredential` (uses Managed Identity) |354| Azure Functions | `DefaultAzureCredential` (uses Managed Identity) |355| Azure Kubernetes Service | `WorkloadIdentityCredential` |356| Azure VMs | `DefaultAzureCredential` (uses Managed Identity) |357| CI/CD Pipeline | `EnvironmentCredential` |358| Desktop App | `InteractiveBrowserCredential` |359| CLI Tool | `DeviceCodeCredential` |360361## Trigger Phrases362363- "Azure authentication Java", "DefaultAzureCredential Java"364- "managed identity Java", "service principal Java"365- "Azure login Java", "Azure credentials Java"366- "AZURE_CLIENT_ID", "AZURE_TENANT_ID"367
Full transparency — inspect the skill content before installing.