Azure Identity SDK for Python

Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).

Installation

pip install azure-identity

Environment Variables

Service Principal (for production/CI)

AZURE_TENANT_ID=<your-tenant-id> AZURE_CLIENT_ID=<your-client-id> AZURE_CLIENT_SECRET=<your-client-secret>

User-assigned Managed Identity (optional)

AZURE_CLIENT_ID=<managed-identity-client-id>

DefaultAzureCredential

The recommended credential for most scenarios. Tries multiple authentication methods in order:

from azure.identity import DefaultAzureCredential from azure.storage.blob import BlobServiceClient

Works in local dev AND production without code changes

credential = DefaultAzureCredential()

client = BlobServiceClient( account_url="https://<account>.blob.core.windows.net", credential=credential )

Credential Chain Order

Order Credential Environment

1 EnvironmentCredential CI/CD, containers

2 WorkloadIdentityCredential Kubernetes

3 ManagedIdentityCredential Azure VMs, App Service, Functions

4 SharedTokenCacheCredential Windows only

5 VisualStudioCodeCredential VS Code with Azure extension

6 AzureCliCredential az login

7 AzurePowerShellCredential Connect-AzAccount

8 AzureDeveloperCliCredential azd auth login

Customizing DefaultAzureCredential

Exclude credentials you don't need

credential = DefaultAzureCredential( exclude_environment_credential=True, exclude_shared_token_cache_credential=True, managed_identity_client_id="<user-assigned-mi-client-id>" # For user-assigned MI )

Enable interactive browser (disabled by default)

credential = DefaultAzureCredential( exclude_interactive_browser_credential=False )

Specific Credential Types

ManagedIdentityCredential

For Azure-hosted resources (VMs, App Service, Functions, AKS):

from azure.identity import ManagedIdentityCredential

System-assigned managed identity

credential = ManagedIdentityCredential()

User-assigned managed identity

credential = ManagedIdentityCredential( client_id="<user-assigned-mi-client-id>" )

ClientSecretCredential

For service principal with secret:

from azure.identity import ClientSecretCredential

credential = ClientSecretCredential( tenant_id=os.environ["AZURE_TENANT_ID"], client_id=os.environ["AZURE_CLIENT_ID"], client_secret=os.environ["AZURE_CLIENT_SECRET"] )

AzureCliCredential

Uses the account from az login :

from azure.identity import AzureCliCredential

credential = AzureCliCredential()

ChainedTokenCredential

Custom credential chain:

from azure.identity import ( ChainedTokenCredential, ManagedIdentityCredential, AzureCliCredential )

Try managed identity first, fall back to CLI

credential = ChainedTokenCredential( ManagedIdentityCredential(client_id="<user-assigned-mi-client-id>"), AzureCliCredential() )

Credential Types Table

Credential Use Case Auth Method

DefaultAzureCredential

Most scenarios Auto-detect

ManagedIdentityCredential

Azure-hosted apps Managed Identity

ClientSecretCredential

Service principal Client secret

ClientCertificateCredential

Service principal Certificate

AzureCliCredential

Local development Azure CLI

AzureDeveloperCliCredential

Local development Azure Developer CLI

InteractiveBrowserCredential

User sign-in Browser OAuth

DeviceCodeCredential

Headless/SSH Device code flow

Getting Tokens Directly

from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()

Get token for a specific scope

token = credential.get_token("https://management.azure.com/.default") print(f"Token expires: {token.expires_on}")

For Azure Database for PostgreSQL

token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")

Async Client

from azure.identity.aio import DefaultAzureCredential from azure.storage.blob.aio import BlobServiceClient

async def main(): credential = DefaultAzureCredential()

async with BlobServiceClient(
    account_url="https://&#x3C;account>.blob.core.windows.net",
    credential=credential
) as client:
    # ... async operations
    pass

await credential.close()

Best Practices

Use DefaultAzureCredential for code that runs locally and in Azure
Never hardcode credentials — use environment variables or managed identity
Prefer managed identity in production Azure deployments
Use ChainedTokenCredential when you need a custom credential order
Close async credentials explicitly or use context managers
Set AZURE_CLIENT_ID for user-assigned managed identities
Exclude unused credentials to speed up authentication

azure-identity-py

Safety Notice

Copy this and send it to your AI assistant to learn

Service Principal (for production/CI)

User-assigned Managed Identity (optional)

Works in local dev AND production without code changes

Exclude credentials you don't need

Enable interactive browser (disabled by default)

System-assigned managed identity

User-assigned managed identity

Try managed identity first, fall back to CLI

Get token for a specific scope

For Azure Database for PostgreSQL

Source Transparency

Related Skills

github-issue-creator

azure-observability

azure-appconfiguration-java

copilot-sdk