Azure Identity Py

1---
2name: azure-identity-py
3description: |
4  Azure Identity SDK for Python authentication. Use for DefaultAzureCredential, managed identity, service principals, and token caching.
5  Triggers: "azure-identity", "DefaultAzureCredential", "authentication", "managed identity", "service principal", "credential".
6package: azure-identity
7---
8 
9# Azure Identity SDK for Python
10 
11Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).
12 
13## Installation
14 
15```bash
16pip install azure-identity
17```
18 
19## Environment Variables
20 
21```bash
22# Service Principal (for production/CI)
23AZURE_TENANT_ID=<your-tenant-id>
24AZURE_CLIENT_ID=<your-client-id>
25AZURE_CLIENT_SECRET=<your-client-secret>
26 
27# User-assigned Managed Identity (optional)
28AZURE_CLIENT_ID=<managed-identity-client-id>
29```
30 
31## DefaultAzureCredential
32 
33The recommended credential for most scenarios. Tries multiple authentication methods in order:
34 
35```python
36from azure.identity import DefaultAzureCredential
37from azure.storage.blob import BlobServiceClient
38 
39# Works in local dev AND production without code changes
40credential = DefaultAzureCredential()
41 
42client = BlobServiceClient(
43    account_url="https://<account>.blob.core.windows.net",
44    credential=credential
45)
46```
47 
48### Credential Chain Order
49 
50| Order | Credential | Environment |
51|-------|-----------|-------------|
52| 1 | EnvironmentCredential | CI/CD, containers |
53| 2 | WorkloadIdentityCredential | Kubernetes |
54| 3 | ManagedIdentityCredential | Azure VMs, App Service, Functions |
55| 4 | SharedTokenCacheCredential | Windows only |
56| 5 | VisualStudioCodeCredential | VS Code with Azure extension |
57| 6 | AzureCliCredential | `az login` |
58| 7 | AzurePowerShellCredential | `Connect-AzAccount` |
59| 8 | AzureDeveloperCliCredential | `azd auth login` |
60 
61### Customizing DefaultAzureCredential
62 
63```python
64# Exclude credentials you don't need
65credential = DefaultAzureCredential(
66    exclude_environment_credential=True,
67    exclude_shared_token_cache_credential=True,
68    managed_identity_client_id="<user-assigned-mi-client-id>"  # For user-assigned MI
69)
70 
71# Enable interactive browser (disabled by default)
72credential = DefaultAzureCredential(
73    exclude_interactive_browser_credential=False
74)
75```
76 
77## Specific Credential Types
78 
79### ManagedIdentityCredential
80 
81For Azure-hosted resources (VMs, App Service, Functions, AKS):
82 
83```python
84from azure.identity import ManagedIdentityCredential
85 
86# System-assigned managed identity
87credential = ManagedIdentityCredential()
88 
89# User-assigned managed identity
90credential = ManagedIdentityCredential(
91    client_id="<user-assigned-mi-client-id>"
92)
93```
94 
95### ClientSecretCredential
96 
97For service principal with secret:
98 
99```python
100from azure.identity import ClientSecretCredential
101 
102credential = ClientSecretCredential(
103    tenant_id=os.environ["AZURE_TENANT_ID"],
104    client_id=os.environ["AZURE_CLIENT_ID"],
105    client_secret=os.environ["AZURE_CLIENT_SECRET"]
106)
107```
108 
109### AzureCliCredential
110 
111Uses the account from `az login`:
112 
113```python
114from azure.identity import AzureCliCredential
115 
116credential = AzureCliCredential()
117```
118 
119### ChainedTokenCredential
120 
121Custom credential chain:
122 
123```python
124from azure.identity import (
125    ChainedTokenCredential,
126    ManagedIdentityCredential,
127    AzureCliCredential
128)
129 
130# Try managed identity first, fall back to CLI
131credential = ChainedTokenCredential(
132    ManagedIdentityCredential(client_id="<user-assigned-mi-client-id>"),
133    AzureCliCredential()
134)
135```
136 
137## Credential Types Table
138 
139| Credential | Use Case | Auth Method |
140|------------|----------|-------------|
141| `DefaultAzureCredential` | Most scenarios | Auto-detect |
142| `ManagedIdentityCredential` | Azure-hosted apps | Managed Identity |
143| `ClientSecretCredential` | Service principal | Client secret |
144| `ClientCertificateCredential` | Service principal | Certificate |
145| `AzureCliCredential` | Local development | Azure CLI |
146| `AzureDeveloperCliCredential` | Local development | Azure Developer CLI |
147| `InteractiveBrowserCredential` | User sign-in | Browser OAuth |
148| `DeviceCodeCredential` | Headless/SSH | Device code flow |
149 
150## Getting Tokens Directly
151 
152```python
153from azure.identity import DefaultAzureCredential
154 
155credential = DefaultAzureCredential()
156 
157# Get token for a specific scope
158token = credential.get_token("https://management.azure.com/.default")
159print(f"Token expires: {token.expires_on}")
160 
161# For Azure Database for PostgreSQL
162token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")
163```
164 
165## Async Client
166 
167```python
168from azure.identity.aio import DefaultAzureCredential
169from azure.storage.blob.aio import BlobServiceClient
170 
171async def main():
172    credential = DefaultAzureCredential()
173    
174    async with BlobServiceClient(
175        account_url="https://<account>.blob.core.windows.net",
176        credential=credential
177    ) as client:
178        # ... async operations
179        pass
180    
181    await credential.close()
182```
183 
184## Best Practices
185 
1861. **Use DefaultAzureCredential** for code that runs locally and in Azure
1872. **Never hardcode credentials** — use environment variables or managed identity
1883. **Prefer managed identity** in production Azure deployments
1894. **Use ChainedTokenCredential** when you need a custom credential order
1905. **Close async credentials** explicitly or use context managers
1916. **Set AZURE_CLIENT_ID** for user-assigned managed identities
1927. **Exclude unused credentials** to speed up authentication
193