Events
May 19, 6 PM - May 23, 12 AM
Calling all developers, creators, and AI innovators to join us in Seattle @Microsoft Build May 19-22.
Register todayAzure authentication with user credentials
This article looks at how the Azure Identity library supports Microsoft Entra token authentication with user-provided credentials. This support is made possible through a set of TokenCredential implementations discussed in this article.
This article covers the following subjects:
The device code credential interactively authenticates a user on devices with limited UI. It works by prompting the user to visit a sign-in URL on a browser-enabled machine when the application attempts to authenticate. The user then enters the device code mentioned in the instructions along with their sign-in credentials. Upon successful authentication, the application that requested authentication gets authenticated successfully on the device it's running on.
For more information, see Microsoft identity platform and the OAuth 2.0 device authorization grant flow.
To authenticate a user through device code flow, use the following steps:
- Go to Microsoft Entra ID in Azure portal and find your app registration.
- Navigate to the Authentication section.
- Under Suggested Redirected URIs, check the URI that ends with
/common/oauth2/nativeclient. - Under Default Client Type, select
yesforTreat application as a public client.
These steps enable the application to authenticate, but it still doesn't have permission to sign you into Microsoft Entra ID, or access resources on your behalf. To address this issue, navigate to API Permissions, and enable Microsoft Graph and the resources you want to access, such as Key Vault.
You also need to be the admin of your tenant to grant consent to your application when you sign in for the first time.
If you can't configure the device code flow option on your Microsoft Entra ID, then it may require your app to be multi- tenant. To make your app multi-tenant, navigate to the Authentication panel, then select Accounts in any organizational directory. Then, select yes for Treat application as Public Client.
The following example demonstrates authenticating the SecretClient from the Azure Key Vault Secret client library for Java using the DeviceCodeCredential on an IoT device.
/**
* Authenticate with device code credential.
*/
DeviceCodeCredential deviceCodeCredential = new DeviceCodeCredentialBuilder()
.challengeConsumer(challenge -> {
// Lets the user know about the challenge.
System.out.println(challenge.getMessage());
}).build();
// Azure SDK client builders accept the credential as a parameter.
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://<your Key Vault name>.vault.azure.net")
.credential(deviceCodeCredential)
.buildClient();
This credential interactively authenticates a user with the default system browser and offers a smooth authentication experience by letting you use your own credentials to authenticate your application.
To use InteractiveBrowserCredential, you need to register an application in Microsoft Entra ID with permissions to sign in on behalf of a user. Follow the previous steps for device code flow to register your application. As mentioned previously, an admin of your tenant must grant consent to your application before any user account can sign in.
You may notice in InteractiveBrowserCredentialBuilder, a redirect URL is required. Add the redirect URL to the Redirect URIs subsection under the Authentication section of your registered Microsoft Entra application.
The following example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the InteractiveBrowserCredential.
/**
* Authenticate interactively in the browser.
*/
InteractiveBrowserCredential interactiveBrowserCredential = new InteractiveBrowserCredentialBuilder()
.clientId("<your app client ID>")
.redirectUrl("YOUR_APP_REGISTERED_REDIRECT_URL")
.build();
// Azure SDK client builders accept the credential as a parameter.
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://<your Key Vault name>.vault.azure.net")
.credential(interactiveBrowserCredential)
.buildClient();
This article covered authentication with user credentials. This form of authentication is one of multiple ways you can authenticate in the Azure SDK for Java. The following articles describe other ways:
- Azure authentication in development environments
- Authenticating applications hosted in Azure
- Authentication with service principals
After you've mastered authentication, see Configure logging in the Azure SDK for Java for information on the logging functionality provided by the SDK.
Additional resources
Training
Module
Sign in users with Microsoft Entra ID in a Java web app - Training
Learn how to authenticate users with Microsoft Entra ID and get authorized access to data in a Java web app using Microsoft Authentication Library.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Documentation
-
Azure authentication with service principal - Azure SDK for Java
Provides an overview of the Azure SDK for Java concepts related to authenticating applications via service principal.
-
Azure authentication in Java development environments - Azure SDK for Java
Provides an overview of the Azure SDK for Java concepts related to authenticating within dev environments.
-
Authenticate Azure-hosted Java applications - Azure SDK for Java
Provides an overview of the Azure SDK for Java concepts related to authenticating applications hosted within Azure.