Authenticate to Azure services using Azure Identity SDK for JavaScript (@azure/identity). Use when configuring authentication with DefaultAzureCredential, managed identity, service principals, or interactive browser login.
Add this skill
npx mdskills install sickn33/azure-identity-tsComprehensive Azure authentication reference with clear examples across all credential types
1---2name: azure-identity-ts3description: Authenticate to Azure services using Azure Identity SDK for JavaScript (@azure/identity). Use when configuring authentication with DefaultAzureCredential, managed identity, service principals, or interactive browser login.4package: "@azure/identity"5---67# Azure Identity SDK for TypeScript89Authenticate to Azure services with various credential types.1011## Installation1213```bash14npm install @azure/identity15```1617## Environment Variables1819### Service Principal (Secret)2021```bash22AZURE_TENANT_ID=<tenant-id>23AZURE_CLIENT_ID=<client-id>24AZURE_CLIENT_SECRET=<client-secret>25```2627### Service Principal (Certificate)2829```bash30AZURE_TENANT_ID=<tenant-id>31AZURE_CLIENT_ID=<client-id>32AZURE_CLIENT_CERTIFICATE_PATH=/path/to/cert.pem33AZURE_CLIENT_CERTIFICATE_PASSWORD=<optional-password>34```3536### Workload Identity (Kubernetes)3738```bash39AZURE_TENANT_ID=<tenant-id>40AZURE_CLIENT_ID=<client-id>41AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/tokens/azure-identity42```4344## DefaultAzureCredential (Recommended)4546```typescript47import { DefaultAzureCredential } from "@azure/identity";4849const credential = new DefaultAzureCredential();5051// Use with any Azure SDK client52import { BlobServiceClient } from "@azure/storage-blob";53const blobClient = new BlobServiceClient(54 "https://<account>.blob.core.windows.net",55 credential56);57```5859**Credential Chain Order:**601. EnvironmentCredential612. WorkloadIdentityCredential623. ManagedIdentityCredential634. VisualStudioCodeCredential645. AzureCliCredential656. AzurePowerShellCredential667. AzureDeveloperCliCredential6768## Managed Identity6970### System-Assigned7172```typescript73import { ManagedIdentityCredential } from "@azure/identity";7475const credential = new ManagedIdentityCredential();76```7778### User-Assigned (by Client ID)7980```typescript81const credential = new ManagedIdentityCredential({82 clientId: "<user-assigned-client-id>"83});84```8586### User-Assigned (by Resource ID)8788```typescript89const credential = new ManagedIdentityCredential({90 resourceId: "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>"91});92```9394## Service Principal9596### Client Secret9798```typescript99import { ClientSecretCredential } from "@azure/identity";100101const credential = new ClientSecretCredential(102 "<tenant-id>",103 "<client-id>",104 "<client-secret>"105);106```107108### Client Certificate109110```typescript111import { ClientCertificateCredential } from "@azure/identity";112113const credential = new ClientCertificateCredential(114 "<tenant-id>",115 "<client-id>",116 { certificatePath: "/path/to/cert.pem" }117);118119// With password120const credentialWithPwd = new ClientCertificateCredential(121 "<tenant-id>",122 "<client-id>",123 {124 certificatePath: "/path/to/cert.pem",125 certificatePassword: "<password>"126 }127);128```129130## Interactive Authentication131132### Browser-Based Login133134```typescript135import { InteractiveBrowserCredential } from "@azure/identity";136137const credential = new InteractiveBrowserCredential({138 clientId: "<client-id>",139 tenantId: "<tenant-id>",140 loginHint: "user@example.com"141});142```143144### Device Code Flow145146```typescript147import { DeviceCodeCredential } from "@azure/identity";148149const credential = new DeviceCodeCredential({150 clientId: "<client-id>",151 tenantId: "<tenant-id>",152 userPromptCallback: (info) => {153 console.log(info.message);154 // "To sign in, use a web browser to open..."155 }156});157```158159## Custom Credential Chain160161```typescript162import {163 ChainedTokenCredential,164 ManagedIdentityCredential,165 AzureCliCredential166} from "@azure/identity";167168// Try managed identity first, fall back to CLI169const credential = new ChainedTokenCredential(170 new ManagedIdentityCredential(),171 new AzureCliCredential()172);173```174175## Developer Credentials176177### Azure CLI178179```typescript180import { AzureCliCredential } from "@azure/identity";181182const credential = new AzureCliCredential();183// Uses: az login184```185186### Azure Developer CLI187188```typescript189import { AzureDeveloperCliCredential } from "@azure/identity";190191const credential = new AzureDeveloperCliCredential();192// Uses: azd auth login193```194195### Azure PowerShell196197```typescript198import { AzurePowerShellCredential } from "@azure/identity";199200const credential = new AzurePowerShellCredential();201// Uses: Connect-AzAccount202```203204## Sovereign Clouds205206```typescript207import { ClientSecretCredential, AzureAuthorityHosts } from "@azure/identity";208209// Azure Government210const credential = new ClientSecretCredential(211 "<tenant>", "<client>", "<secret>",212 { authorityHost: AzureAuthorityHosts.AzureGovernment }213);214215// Azure China216const credentialChina = new ClientSecretCredential(217 "<tenant>", "<client>", "<secret>",218 { authorityHost: AzureAuthorityHosts.AzureChina }219);220```221222## Bearer Token Provider223224```typescript225import { DefaultAzureCredential, getBearerTokenProvider } from "@azure/identity";226227const credential = new DefaultAzureCredential();228229// Create a function that returns tokens230const getAccessToken = getBearerTokenProvider(231 credential,232 "https://cognitiveservices.azure.com/.default"233);234235// Use with APIs that need bearer tokens236const token = await getAccessToken();237```238239## Key Types240241```typescript242import type {243 TokenCredential,244 AccessToken,245 GetTokenOptions246} from "@azure/core-auth";247248import {249 DefaultAzureCredential,250 DefaultAzureCredentialOptions,251 ManagedIdentityCredential,252 ClientSecretCredential,253 ClientCertificateCredential,254 InteractiveBrowserCredential,255 ChainedTokenCredential,256 AzureCliCredential,257 AzurePowerShellCredential,258 AzureDeveloperCliCredential,259 DeviceCodeCredential,260 AzureAuthorityHosts261} from "@azure/identity";262```263264## Custom Credential Implementation265266```typescript267import type { TokenCredential, AccessToken, GetTokenOptions } from "@azure/core-auth";268269class CustomCredential implements TokenCredential {270 async getToken(271 scopes: string | string[],272 options?: GetTokenOptions273 ): Promise<AccessToken | null> {274 // Custom token acquisition logic275 return {276 token: "<access-token>",277 expiresOnTimestamp: Date.now() + 3600000278 };279 }280}281```282283## Debugging284285```typescript286import { setLogLevel, AzureLogger } from "@azure/logger";287288setLogLevel("verbose");289290// Custom log handler291AzureLogger.log = (...args) => {292 console.log("[Azure]", ...args);293};294```295296## Best Practices2972981. **Use DefaultAzureCredential** - Works in development (CLI) and production (managed identity)2992. **Never hardcode credentials** - Use environment variables or managed identity3003. **Prefer managed identity** - No secrets to manage in production3014. **Scope credentials appropriately** - Use user-assigned identity for multi-tenant scenarios3025. **Handle token refresh** - Azure SDK handles this automatically3036. **Use ChainedTokenCredential** - For custom fallback scenarios304
Full transparency — inspect the skill content before installing.