EnvironmentCredential class

Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user with a username and password.

Constructors

EnvironmentCredential(EnvironmentCredentialOptions)

Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.

Required environment variables:

  • AZURE_TENANT_ID: The Microsoft Entra tenant (directory) ID.
  • AZURE_CLIENT_ID: The client (application) ID of an App Registration in the tenant.

If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants

  • AZURE_ADDITIONALLY_ALLOWED_TENANTS: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.

Environment variables used for client credential authentication:

  • AZURE_CLIENT_SECRET: A client secret that was generated for the App Registration.
  • AZURE_CLIENT_CERTIFICATE_PATH: The path to a PEM certificate to use during the authentication, instead of the client secret.
  • AZURE_CLIENT_CERTIFICATE_PASSWORD: (optional) password for the certificate file.
  • AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication.

Alternatively, users can provide environment variables for username and password authentication:

  • AZURE_USERNAME: Username to authenticate with.
  • AZURE_PASSWORD: Password to authenticate with.

If the environment variables required to perform the authentication are missing, a CredentialUnavailableError will be thrown. If the authentication fails, or if there's an unknown error, an AuthenticationError will be thrown.

Methods

getToken(string | string[], GetTokenOptions)

Authenticates with Microsoft Entra ID and returns an access token if successful.

Constructor Details

EnvironmentCredential(EnvironmentCredentialOptions)

Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.

Required environment variables:

  • AZURE_TENANT_ID: The Microsoft Entra tenant (directory) ID.
  • AZURE_CLIENT_ID: The client (application) ID of an App Registration in the tenant.

If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants

  • AZURE_ADDITIONALLY_ALLOWED_TENANTS: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.

Environment variables used for client credential authentication:

  • AZURE_CLIENT_SECRET: A client secret that was generated for the App Registration.
  • AZURE_CLIENT_CERTIFICATE_PATH: The path to a PEM certificate to use during the authentication, instead of the client secret.
  • AZURE_CLIENT_CERTIFICATE_PASSWORD: (optional) password for the certificate file.
  • AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication.

Alternatively, users can provide environment variables for username and password authentication:

  • AZURE_USERNAME: Username to authenticate with.
  • AZURE_PASSWORD: Password to authenticate with.

If the environment variables required to perform the authentication are missing, a CredentialUnavailableError will be thrown. If the authentication fails, or if there's an unknown error, an AuthenticationError will be thrown.

new EnvironmentCredential(options?: EnvironmentCredentialOptions)

Parameters

options
EnvironmentCredentialOptions

Options for configuring the client which makes the authentication request.

Method Details

getToken(string | string[], GetTokenOptions)

Authenticates with Microsoft Entra ID and returns an access token if successful.

function getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>

Parameters

scopes

string | string[]

The list of scopes for which the token will have access.

options
GetTokenOptions

Optional parameters. See GetTokenOptions.

Returns

Promise<AccessToken>