This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can trysigning in orchanging directories.
Access to this page requires authorization. You can trychanging directories.
This article looks at how the Azure Identity library supports Microsoft Entra token authentication for applications hosted on Azure. This support is made possible through a set ofTokenCredential implementations, which are discussed in this article.
This article covers the following subjects:
For troubleshooting authentication issues related to Azure-hosted applications, seeTroubleshoot Azure-hosted application authentication.
DefaultAzureCredential combines credentials that are commonly used to authenticate when deployed, with credentials that are used to authenticate in a development environment. For more information, seeDefaultAzureCredential overview.
DefaultAzureCredential supports a set of configurations through setters on theDefaultAzureCredentialBuilder or environment variables.
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET, andAZURE_TENANT_ID as defined inEnvironment variables configuresDefaultAzureCredential to authenticate as the service principal specified by the values..managedIdentityClientId(String) on the builder or the environment variableAZURE_CLIENT_ID configuresDefaultAzureCredential to authenticate as a user-assigned managed identity, while leaving them empty configures it to authenticate as a system-assigned managed identity..tenantId(String) on the builder or the environment variableAZURE_TENANT_ID configuresDefaultAzureCredential to authenticate to a specific tenant for either the shared token cache or IntelliJ IDEA.AZURE_USERNAME configuresDefaultAzureCredential to pick the corresponding cached token from the shared token cache.The following example demonstrates authenticating theSecretClient from theazure-security-keyvault-secrets client library usingDefaultAzureCredential:
// Azure SDK client builders accept the credential as a parameter.SecretClient client = new SecretClientBuilder() .vaultUrl("https://<KEY_VAULT_NAME>.vault.azure.net") .credential(new DefaultAzureCredentialBuilder().build()) .buildClient();The following example demonstrates authenticating theSecretClient from theazure-security-keyvault-secrets client library usingDefaultAzureCredential deployed to an Azure resource with a user-assigned managed identity configured.
/** * DefaultAzureCredential uses the user-assigned managed identity with the specified client ID. */DefaultAzureCredential credential = new DefaultAzureCredentialBuilder() .managedIdentityClientId("<CLIENT_ID>") .build();// Azure SDK client builders accept the credential as a parameter.SecretClient client = new SecretClientBuilder() .vaultUrl("https://<KEY_VAULT_NAME>.vault.azure.net") .credential(credential) .buildClient();ManagedIdentityCredential authenticates the managed identity (system-assigned or user-assigned) of an Azure resource. So, if the application is running inside an Azure resource that supports managed identity throughIDENTITY/MSI,IMDS endpoints, or both, then this credential gets your application authenticated, and offers a secretless authentication experience.
For more information, seeWhat are managed identities for Azure resources?.
The following example demonstrates authenticating theSecretClient from theazure-security-keyvault-secrets client library using theManagedIdentityCredential in a Virtual Machine, App Service, Functions app, Cloud Shell, Service Fabric, Arc, or AKS environment on Azure, with system-assigned or user-assigned managed identity enabled.
/** * Authenticate with a user-assigned managed identity. */ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder() .clientId("<CLIENT_ID>") // required only for user-assigned .build();// Azure SDK client builders accept the credential as a parameter.SecretClient client = new SecretClientBuilder() .vaultUrl("https://<KEY_VAULT_NAME>.vault.azure.net") .credential(credential) .buildClient();You can configureDefaultAzureCredential andEnvironmentCredential with environment variables. Each type of authentication requires values for specific variables:
| Variable name | Value |
|---|---|
AZURE_CLIENT_ID | ID of a Microsoft Entra application. |
AZURE_TENANT_ID | ID of the application's Microsoft Entra tenant. |
AZURE_CLIENT_SECRET | One of the application's client secrets. |
| Variable name | Value |
|---|---|
AZURE_CLIENT_ID | ID of a Microsoft Entra application. |
AZURE_TENANT_ID | ID of the application's Microsoft Entra tenant. |
AZURE_CLIENT_CERTIFICATE_PATH | Path to a PEM-encoded certificate file including private key (without password protection). |
AZURE_CLIENT_CERTIFICATE_PASSWORD | (optional) Password of the certificate file, if any. |
AZURE_CLIENT_SEND_CERTIFICATE_CHAIN | (optional) Send certificate chain in x5c header to support subject name / issuer-based authentication. |
| Variable name | Value |
|---|---|
AZURE_CLIENT_ID | ID of a Microsoft Entra application. |
AZURE_TENANT_ID | ID of the application's Microsoft Entra tenant. |
AZURE_USERNAME | A username (usually an email address). |
AZURE_PASSWORD | The associated password for the given username. |
Configuration is attempted in this order. For example, if values for a client secret and certificate are both present, the client secret is used.
This article covered authentication for applications hosted in Azure. This form of authentication is one of multiple ways you can authenticate in the Azure SDK for Java. The following articles describe other ways:
If you run into issues related to Azure-hosted application authentication, seeTroubleshoot Azure-hosted application authentication.
After you've mastered authentication, seeConfigure logging in the Azure SDK for Java for information on the logging functionality provided by the SDK.
Was this page helpful?
Was this page helpful?