Azure Identity SDK for TypeScript
Authenticate to Azure services with various credential types.
Installation
npm install @azure/identity
Environment Variables
Service Principal (Secret)
AZURE_TENANT_ID=<tenant-id> AZURE_CLIENT_ID=<client-id> AZURE_CLIENT_SECRET=<client-secret>
Service Principal (Certificate)
AZURE_TENANT_ID=<tenant-id> AZURE_CLIENT_ID=<client-id> AZURE_CLIENT_CERTIFICATE_PATH=/path/to/cert.pem AZURE_CLIENT_CERTIFICATE_PASSWORD=<optional-password>
Workload Identity (Kubernetes)
AZURE_TENANT_ID=<tenant-id> AZURE_CLIENT_ID=<client-id> AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/tokens/azure-identity
DefaultAzureCredential (Recommended)
import { DefaultAzureCredential } from "@azure/identity";
const credential = new DefaultAzureCredential();
// Use with any Azure SDK client import { BlobServiceClient } from "@azure/storage-blob"; const blobClient = new BlobServiceClient( "https://<account>.blob.core.windows.net", credential );
Credential Chain Order:
-
EnvironmentCredential
-
WorkloadIdentityCredential
-
ManagedIdentityCredential
-
VisualStudioCodeCredential
-
AzureCliCredential
-
AzurePowerShellCredential
-
AzureDeveloperCliCredential
Managed Identity
System-Assigned
import { ManagedIdentityCredential } from "@azure/identity";
const credential = new ManagedIdentityCredential();
User-Assigned (by Client ID)
const credential = new ManagedIdentityCredential({ clientId: "<user-assigned-client-id>" });
User-Assigned (by Resource ID)
const credential = new ManagedIdentityCredential({ resourceId: "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>" });
Service Principal
Client Secret
import { ClientSecretCredential } from "@azure/identity";
const credential = new ClientSecretCredential( "<tenant-id>", "<client-id>", "<client-secret>" );
Client Certificate
import { ClientCertificateCredential } from "@azure/identity";
const credential = new ClientCertificateCredential( "<tenant-id>", "<client-id>", { certificatePath: "/path/to/cert.pem" } );
// With password const credentialWithPwd = new ClientCertificateCredential( "<tenant-id>", "<client-id>", { certificatePath: "/path/to/cert.pem", certificatePassword: "<password>" } );
Interactive Authentication
Browser-Based Login
import { InteractiveBrowserCredential } from "@azure/identity";
const credential = new InteractiveBrowserCredential({ clientId: "<client-id>", tenantId: "<tenant-id>", loginHint: "user@example.com" });
Device Code Flow
import { DeviceCodeCredential } from "@azure/identity";
const credential = new DeviceCodeCredential({ clientId: "<client-id>", tenantId: "<tenant-id>", userPromptCallback: (info) => { console.log(info.message); // "To sign in, use a web browser to open..." } });
Custom Credential Chain
import { ChainedTokenCredential, ManagedIdentityCredential, AzureCliCredential } from "@azure/identity";
// Try managed identity first, fall back to CLI const credential = new ChainedTokenCredential( new ManagedIdentityCredential(), new AzureCliCredential() );
Developer Credentials
Azure CLI
import { AzureCliCredential } from "@azure/identity";
const credential = new AzureCliCredential(); // Uses: az login
Azure Developer CLI
import { AzureDeveloperCliCredential } from "@azure/identity";
const credential = new AzureDeveloperCliCredential(); // Uses: azd auth login
Azure PowerShell
import { AzurePowerShellCredential } from "@azure/identity";
const credential = new AzurePowerShellCredential(); // Uses: Connect-AzAccount
Sovereign Clouds
import { ClientSecretCredential, AzureAuthorityHosts } from "@azure/identity";
// Azure Government const credential = new ClientSecretCredential( "<tenant>", "<client>", "<secret>", { authorityHost: AzureAuthorityHosts.AzureGovernment } );
// Azure China const credentialChina = new ClientSecretCredential( "<tenant>", "<client>", "<secret>", { authorityHost: AzureAuthorityHosts.AzureChina } );
Bearer Token Provider
import { DefaultAzureCredential, getBearerTokenProvider } from "@azure/identity";
const credential = new DefaultAzureCredential();
// Create a function that returns tokens const getAccessToken = getBearerTokenProvider( credential, "https://cognitiveservices.azure.com/.default" );
// Use with APIs that need bearer tokens const token = await getAccessToken();
Key Types
import type { TokenCredential, AccessToken, GetTokenOptions } from "@azure/core-auth";
import { DefaultAzureCredential, DefaultAzureCredentialOptions, ManagedIdentityCredential, ClientSecretCredential, ClientCertificateCredential, InteractiveBrowserCredential, ChainedTokenCredential, AzureCliCredential, AzurePowerShellCredential, AzureDeveloperCliCredential, DeviceCodeCredential, AzureAuthorityHosts } from "@azure/identity";
Custom Credential Implementation
import type { TokenCredential, AccessToken, GetTokenOptions } from "@azure/core-auth";
class CustomCredential implements TokenCredential { async getToken( scopes: string | string[], options?: GetTokenOptions ): Promise<AccessToken | null> { // Custom token acquisition logic return { token: "<access-token>", expiresOnTimestamp: Date.now() + 3600000 }; } }
Debugging
import { setLogLevel, AzureLogger } from "@azure/logger";
setLogLevel("verbose");
// Custom log handler AzureLogger.log = (...args) => { console.log("[Azure]", ...args); };
Best Practices
-
Use DefaultAzureCredential - Works in development (CLI) and production (managed identity)
-
Never hardcode credentials - Use environment variables or managed identity
-
Prefer managed identity - No secrets to manage in production
-
Scope credentials appropriately - Use user-assigned identity for multi-tenant scenarios
-
Handle token refresh - Azure SDK handles this automatically
-
Use ChainedTokenCredential - For custom fallback scenarios