Class EnvironmentCredential

Namespace

Azure.Identity

Assembly

Azure.Identity.dll

Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user with a username and password.

Configuration is attempted in this order, using these environment variables:

Service principal with secret:

Variable	Description
AZURE_TENANT_ID	The Microsoft Entra tenant (directory) ID.
AZURE_CLIENT_ID	The client (application) ID of an App Registration in the tenant.
AZURE_CLIENT_SECRET	A client secret that was generated for the App Registration.

Service principal with certificate:

Variable	Description
AZURE_TENANT_ID	The Microsoft Entra tenant (directory) ID.
AZURE_CLIENT_ID	The client (application) ID of an App Registration in the tenant.
AZURE_CLIENT_CERTIFICATE_PATH	A path to certificate and private key pair in PEM or PFX format, which can authenticate the App Registration.
AZURE_CLIENT_CERTIFICATE_PASSWORD	(Optional) The password protecting the certificate file (currently only supported for PFX (PKCS12) certificates).
AZURE_CLIENT_SEND_CERTIFICATE_CHAIN	(Optional) Specifies whether an authentication request will include an x5c header to support subject name / issuer based authentication. When set to `true` or `1`, authentication requests include the x5c header.

Username and password:

Variable	Description
AZURE_TENANT_ID	The Microsoft Entra tenant (directory) ID.
AZURE_CLIENT_ID	The client (application) ID of an App Registration in the tenant.
AZURE_USERNAME	The username, also known as upn, of a Microsoft Entra user account.
AZURE_PASSWORD	The password of the Microsoft Entra user account. Note this does not support accounts with MFA enabled.

This credential ultimately uses a ClientSecretCredential, ClientCertificateCredential, or UsernamePasswordCredential to perform the authentication using these details. Please consult the documentation of that class for more details.

public class EnvironmentCredential : TokenCredential

Inheritance

object

EnvironmentCredential

Constructors

EnvironmentCredential()

Creates an instance of the EnvironmentCredential class and reads client secret details from environment variables. If the expected environment variables are not found at this time, the GetToken method will return the default Azure.Core.AccessToken when invoked.

public EnvironmentCredential()

EnvironmentCredential(EnvironmentCredentialOptions)

Creates an instance of the EnvironmentCredential class and reads client secret details from environment variables. If the expected environment variables are not found at this time, the GetToken method will return the default Azure.Core.AccessToken when invoked.

public EnvironmentCredential(EnvironmentCredentialOptions options)

Parameters

options EnvironmentCredentialOptions

Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Methods

GetToken(TokenRequestContext, CancellationToken)

Obtains a token from Microsoft Entra ID, using the specified client details specified in the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD to authenticate. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken = default)

Parameters

requestContext TokenRequestContext

The details of the authentication request.

cancellationToken CancellationToken

A CancellationToken controlling the request lifetime.

Returns

AccessToken

An Azure.Core.AccessToken which can be used to authenticate service client calls.

Remarks

If the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET are not specified, the default Azure.Core.AccessToken

GetTokenAsync(TokenRequestContext, CancellationToken)

Obtains a token from Microsoft Entra ID, using the specified client details specified in the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD to authenticate. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken = default)

Parameters

requestContext TokenRequestContext

The details of the authentication request.

cancellationToken CancellationToken

A CancellationToken controlling the request lifetime.

Returns

ValueTask<AccessToken>

An Azure.Core.AccessToken which can be used to authenticate service client calls, or a default Azure.Core.AccessToken.

Remarks

If the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET are not specified, the default Azure.Core.AccessToken