Authenticate .NET apps to Azure services during local development using developer accounts

Developers need to debug and test cloud apps on their local workstations. When an app runs on a developer's workstation during local development, it must still authenticate to any Azure services used by the app. This article covers how to use a developer's Azure credentials to authenticate the app to Azure during local development.

A diagram showing an app running in local development using a developer tool identity to connect to Azure resources.

For an app to authenticate to Azure during local development using the developer's Azure credentials, the developer must be signed in to Azure from one of the following developer tools:

  • Visual Studio
  • Azure CLI
  • Azure Developer CLI
  • Azure PowerShell

The Azure Identity library can detect that the developer is signed in from one of these tools. The library can then obtain the Microsoft Entra access token via the tool to authenticate the app to Azure as the signed-in user.

This approach is easiest to set up for a development team since it takes advantage of the developers' existing Azure accounts. However, a developer's account likely has more permissions than required by the app, therefore exceeding the permissions the app runs with in production. As an alternative, you can create application service principals to use during local development, which can be scoped to have only the access needed by the app.

1 - Create Microsoft Entra group for local development

Since there are almost always multiple developers who work on an app, a Microsoft Entra group is recommended to encapsulate the roles (permissions) the app needs in local development. This approach offers the following advantages:

  • Every developer is assured to have the same roles assigned since roles are assigned at the group level.
  • If a new role is needed for the app, it only needs to be added to the group for the app.
  • If a new developer joins the team, they gain the necessary permissions to work on the app after being added to the group.

If you have an existing Microsoft Entra group for your development team, you can use that group. Otherwise, complete the following steps to create a Microsoft Entra group.

Instructions Screenshot
Navigate to the Microsoft Entra ID page in the Azure portal by typing Microsoft Entra ID into the search box at the top of the page. Select Microsoft Entra ID under the Services section. A screenshot showing how to use the top search bar in the Azure portal to search for and navigate to the Microsoft Entra ID page.
On the Microsoft Entra ID page, select Groups from the left-hand menu. A screenshot showing the location of the Groups menu item in the left-hand menu of the Microsoft Entra ID Default Directory page.
On the All groups page, select New group. A screenshot showing the location of the New Group button in the All groups page.
On the New Group page:
  1. Select Security from the Group type drop-down.
  2. Group name → A name for the security group, typically created from the application name. It's also helpful to include a string like local-dev in the name of the group to indicate the purpose of the group.
  3. Group description → A description of the group's purpose.
  4. Select the No members selected link under Members to add members to the group.
A screenshot showing how to create a new Microsoft Entra group. The location of the link to select to add members to this group is highlighted.
On the Add members dialog box:
  1. Use the search box to filter the list of user names in the list.
  2. Choose one or more users for local development for this app. As you choose an object, the object moves to the Selected items list at the bottom of the dialog.
  3. When finished, choose the Select button.
A screenshot of the Add members dialog box showing how to select developer accounts to be included in the group.
Back on the New group page, select Create to create the group.The group will be created and you will be taken back to the All groups page. It may take up to 30 seconds for the group to appear, and you may need to refresh the page due to caching in the Azure portal. A screenshot of the New Group page showing how to complete the process by selecting the Create button.

Note

By default, the creation of Microsoft Entra groups is limited to certain privileged roles in a directory. If you're unable to create a group, contact an administrator for your directory. If you're unable to add members to an existing group, contact the group owner or a directory administrator. To learn more, see Manage Microsoft Entra groups and group membership.

2 - Assign roles to the Microsoft Entra group

Next, determine what roles (permissions) your app needs on what resources and assign those roles to your app. In this example, the roles are assigned to the Microsoft Entra group created in step 1. Groups can be assigned a role at a resource, resource group, or subscription scope. This example shows how to assign roles at the resource group, scope since most apps group all their Azure resources into a single resource group.

Instructions Screenshot
Locate the resource group for your app by searching for the resource group name using the search box at the top of the Azure portal. Navigate to your resource group by selecting the resource group name under the Resource Groups heading in the dialog box. A screenshot showing how to use the top search box in the Azure portal to locate and navigate to the resource group you want to assign roles (permissions) to.
On the page for the resource group, select Access control (IAM) from the left-hand menu. A screenshot of the resource group page showing the location of the Access control (IAM) menu item.
On the Access control (IAM) page:
  1. Select the Role assignments tab.
  2. Select + Add from the top menu and then Add role assignment from the resulting drop-down menu.
A screenshot showing how to navigate to the role assignments tab and the location of the button used to add role assignments to a resource group.
The Add role assignment page lists all of the roles that can be assigned for the resource group.
  1. Use the search box to filter the list to a more manageable size. This example shows how to filter for Storage Blob roles.
  2. Select the role that you want to assign.
Select Next to go to the next screen.
A screenshot showing how to filter and select role assignments to be added to the resource group.
The next Add role assignment page allows you to specify what user to assign the role to.
  1. Select User, group, or service principal under Assign access to.
  2. Select + Select members under Members.
A dialog box opens on the right-hand side of the Azure portal.
A screenshot showing the radio button to select to assign a role to a Microsoft Entra group and the link used to select the group to assign the role to.
In the Select members dialog:
  1. The Select text box can be used to filter the list of users and groups in your subscription. If needed, type the first few characters of the local development Microsoft Entra group you created for the app.
  2. Select the local development Microsoft Entra group associated with your application.
Select Select at the bottom of the dialog to continue.
A screenshot showing how to filter for and select the Microsoft Entra group for the application in the Select members dialog box.
The Microsoft Entra group shows as selected on the Add role assignment screen. Select Review + assign to go to the final page and then Review + assign again to complete the process. A screenshot showing the completed Add role assignment page and the location of the Review + assign button used to complete the process.

3 - Sign in to Azure using developer tooling

Next, sign in to Azure using one of several developer tools. The account you authenticate should also exist in the Microsoft Entra group you created and configured earlier.

  1. Navigate to Tools > Options to open the options dialog.

  2. In the Search Options box at the top, type Azure to filter the available options.

  3. Under Azure Service Authentication, choose Account Selection.

  4. Select the drop-down menu under Choose an account and choose to add a Microsoft Account. A window opens, prompting you to pick an account. Enter the credentials for your desired Azure account, and then select the confirmation.

    A screenshot showing how to sign in to Azure using Visual Studio.

  5. Select OK to close the options dialog.

4 - Implement DefaultAzureCredential in your application

DefaultAzureCredential is an opinionated, ordered sequence of mechanisms for authenticating to Microsoft Entra ID. Each authentication mechanism is a class derived from the TokenCredential class and is known as a credential. At runtime, DefaultAzureCredential attempts to authenticate using the first credential. If that credential fails to acquire an access token, the next credential in the sequence is attempted, and so on, until an access token is successfully obtained. In this way, your app can use different credentials in different environments without writing environment-specific code.

To use DefaultAzureCredential, add the Azure.Identity and optionally the Microsoft.Extensions.Azure packages to your application:

In a terminal of your choice, navigate to the application project directory and run the following commands:

dotnet add package Azure.Identity
dotnet add package Microsoft.Extensions.Azure

Azure services are accessed using specialized client classes from the various Azure SDK client libraries. These classes and your own custom services should be registered so they can be accessed via dependency injection throughout your app. In Program.cs, complete the following steps to register a client class and DefaultAzureCredential:

  1. Include the Azure.Identity and Microsoft.Extensions.Azure namespaces via using directives.
  2. Register the Azure service client using the corresponding Add-prefixed extension method.
  3. Pass an instance of DefaultAzureCredential to the UseCredential method.

For example:

using Microsoft.Extensions.Azure;
using Azure.Identity;

builder.Services.AddAzureClients(clientBuilder =>
{
    clientBuilder.AddBlobServiceClient(
        new Uri("https://<account-name>.blob.core.windows.net"));
    clientBuilder.UseCredential(new DefaultAzureCredential());
});

An alternative to UseCredential is to instantiate DefaultAzureCredential directly:

using Azure.Identity;

builder.Services.AddSingleton<BlobServiceClient>(_ =>
    new BlobServiceClient(
        new Uri("https://<account-name>.blob.core.windows.net"),
        new DefaultAzureCredential()));

When the preceding code runs on your local development workstation, it looks in the environment variables for an application service principal or at locally installed developer tools, such as Visual Studio, for a set of developer credentials. Either approach can be used to authenticate the app to Azure resources during local development.

When deployed to Azure, this same code can also authenticate your app to other Azure resources. DefaultAzureCredential can retrieve environment settings and managed identity configurations to authenticate to other services automatically.