Class DefaultAzureCredential

Namespace

Azure.Identity

Assembly

Azure.Identity.dll

Provides a default Azure.Core.TokenCredential authentication flow for applications that will be deployed to Azure. The following credential types, if enabled, will be tried, in order:

• EnvironmentCredential
• WorkloadIdentityCredential
• ManagedIdentityCredential
• SharedTokenCacheCredential
• VisualStudioCredential
• VisualStudioCodeCredential
• AzureCliCredential
• AzurePowerShellCredential
• AzureDeveloperCliCredential
• InteractiveBrowserCredential

Consult the documentation of these credential types for more information on how they attempt authentication.

public class DefaultAzureCredential : TokenCredential

Inheritance

object

DefaultAzureCredential

Examples

This example demonstrates authenticating the BlobClient from the Azure.Storage.Blobs client library using the DefaultAzureCredential, deployed to an Azure resource with a user-assigned managed identity configured.

// When deployed to an Azure host, DefaultAzureCredential will authenticate the specified user-assigned managed identity.
string userAssignedClientId = "<your managed identity client ID>";
var credential = new DefaultAzureCredential(
new DefaultAzureCredentialOptions
{
ManagedIdentityClientId = userAssignedClientId
});
var blobClient = new BlobClient(
new Uri("https://myaccount.blob.core.windows.net/mycontainer/myblob"),
credential);

Remarks

Note that credentials requiring user interaction, such as the InteractiveBrowserCredential, are not included by default. Callers must explicitly enable this when constructing the DefaultAzureCredential either by setting the includeInteractiveCredentials parameter to true, or the setting the ExcludeInteractiveBrowserCredential property to false when passing DefaultAzureCredentialOptions.

Constructors

DefaultAzureCredential()

Protected constructor for mocking.

protected DefaultAzureCredential()

DefaultAzureCredential(DefaultAzureCredentialOptions)

Creates an instance of the DefaultAzureCredential class.

public DefaultAzureCredential(DefaultAzureCredentialOptions options)

Parameters

options DefaultAzureCredentialOptions

Options that configure the management of the requests sent to Microsoft Entra ID, and determine which credentials are included in the DefaultAzureCredential authentication flow.

DefaultAzureCredential(bool)

Creates an instance of the DefaultAzureCredential class.

public DefaultAzureCredential(bool includeInteractiveCredentials = false)

Parameters

includeInteractiveCredentials bool

Specifies whether credentials requiring user interaction will be included in the default authentication flow.

Methods

GetToken(TokenRequestContext, CancellationToken)

Sequentially calls Azure.Core.TokenCredential.GetToken(Azure.Core.TokenRequestContext,System.Threading.CancellationToken) on all the included credentials in the order EnvironmentCredential, ManagedIdentityCredential, SharedTokenCacheCredential, and InteractiveBrowserCredential returning the first successfully obtained Azure.Core.AccessToken. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken = default)

Parameters

requestContext TokenRequestContext

The details of the authentication request.

cancellationToken CancellationToken

A CancellationToken controlling the request lifetime.

Returns

AccessToken

The first Azure.Core.AccessToken returned by the specified sources. Any credential which raises a CredentialUnavailableException will be skipped.

Remarks

Note that credentials requiring user interaction, such as the InteractiveBrowserCredential, are not included by default.

GetTokenAsync(TokenRequestContext, CancellationToken)

Sequentially calls Azure.Core.TokenCredential.GetToken(Azure.Core.TokenRequestContext,System.Threading.CancellationToken) on all the included credentials in the order EnvironmentCredential, ManagedIdentityCredential, SharedTokenCacheCredential, and InteractiveBrowserCredential returning the first successfully obtained Azure.Core.AccessToken. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken = default)

Parameters

requestContext TokenRequestContext

The details of the authentication request.

cancellationToken CancellationToken

A CancellationToken controlling the request lifetime.

Returns

ValueTask<AccessToken>

The first Azure.Core.AccessToken returned by the specified sources. Any credential which raises a CredentialUnavailableException will be skipped.

Remarks

Note that credentials requiring user interaction, such as the InteractiveBrowserCredential, are not included by default.