DefaultAzureCredential Class
A default credential capable of handling most Azure SDK authentication scenarios.
The identity it uses depends on the environment. When an access token is needed, it requests one using these identities in turn, stopping when one provides a token:
A service principal configured by environment variables. See EnvironmentCredential for more details.
WorkloadIdentityCredential if environment variable configuration is set by the Azure workload identity webhook.
An Azure managed identity. See ManagedIdentityCredential for more details.
On Windows only: a user who has signed in with a Microsoft application, such as Visual Studio. If multiple identities are in the cache, then the value of the environment variable
AZURE_USERNAME
is used to select which identity to use. See SharedTokenCacheCredential for more details.The identity currently logged in to the Azure CLI.
The identity currently logged in to Azure PowerShell.
The identity currently logged in to the Azure Developer CLI.
This default behavior is configurable with keyword arguments.
- Inheritance
-
azure.identity._credentials.chained.ChainedTokenCredentialDefaultAzureCredential
Constructor
DefaultAzureCredential(**kwargs: Any)
Keyword-Only Parameters
Name | Description |
---|---|
authority
|
Authority of a Microsoft Entra endpoint, for example 'login.microsoftonline.com', the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds. Managed identities ignore this because they reside in a single cloud. |
exclude_workload_identity_credential
|
Whether to exclude the workload identity from the credential. Defaults to False. |
exclude_developer_cli_credential
|
Whether to exclude the Azure Developer CLI from the credential. Defaults to False. |
exclude_cli_credential
|
Whether to exclude the Azure CLI from the credential. Defaults to False. |
exclude_environment_credential
|
Whether to exclude a service principal configured by environment variables from the credential. Defaults to False. |
exclude_managed_identity_credential
|
Whether to exclude managed identity from the credential. Defaults to False. |
exclude_powershell_credential
|
Whether to exclude Azure PowerShell. Defaults to False. |
exclude_visual_studio_code_credential
|
Whether to exclude stored credential from VS Code. Defaults to True. |
exclude_shared_token_cache_credential
|
Whether to exclude the shared token cache. Defaults to False. |
exclude_interactive_browser_credential
|
Whether to exclude interactive browser authentication (see InteractiveBrowserCredential). Defaults to True. |
interactive_browser_tenant_id
|
Tenant ID to use when authenticating a user through InteractiveBrowserCredential. Defaults to the value of environment variable AZURE_TENANT_ID, if any. If unspecified, users will authenticate in their home tenants. |
managed_identity_client_id
|
The client ID of a user-assigned managed identity. Defaults to the value of the environment variable AZURE_CLIENT_ID, if any. If not specified, a system-assigned identity will be used. |
workload_identity_client_id
|
The client ID of an identity assigned to the pod. Defaults to the value of the environment variable AZURE_CLIENT_ID, if any. If not specified, the pod's default identity will be used. |
workload_identity_tenant_id
|
Preferred tenant for WorkloadIdentityCredential. Defaults to the value of environment variable AZURE_TENANT_ID, if any. |
interactive_browser_client_id
|
The client ID to be used in interactive browser credential. If not specified, users will authenticate to an Azure development application. |
shared_cache_username
|
Preferred username for SharedTokenCacheCredential. Defaults to the value of environment variable AZURE_USERNAME, if any. |
shared_cache_tenant_id
|
Preferred tenant for SharedTokenCacheCredential. Defaults to the value of environment variable AZURE_TENANT_ID, if any. |
visual_studio_code_tenant_id
|
Tenant ID to use when authenticating with VisualStudioCodeCredential. Defaults to the "Azure: Tenant" setting in VS Code's user settings or, when that setting has no value, the "organizations" tenant, which supports only Azure Active Directory work or school accounts. |
process_timeout
|
The timeout in seconds to use for developer credentials that run subprocesses (e.g. AzureCliCredential, AzurePowerShellCredential). Defaults to 10 seconds. |
Examples
Create a DefaultAzureCredential.
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
Methods
close |
Close the transport session of each credential in the chain. |
get_token |
Request an access token for scopes. This method is called automatically by Azure SDK clients. |
close
Close the transport session of each credential in the chain.
close() -> None
get_token
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, **kwargs: Any) -> AccessToken
Parameters
Name | Description |
---|---|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
Name | Description |
---|---|
claims
|
additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure. |
tenant_id
|
optional tenant to include in the token request. |
Returns
Type | Description |
---|---|
An access token with the desired scopes. |
Exceptions
Type | Description |
---|---|
authentication failed. The exception has a message attribute listing each authentication attempt and its error message. |
Azure SDK for Python