Edit

Share via

Create Azure Identity library credentials via configuration files

The Azure client library integration for ASP.NET Core (Microsoft.Extensions.Azure) supports creating different Azure.Core.TokenCredential types from key-value pairs defined in appsettings.json and other configuration files. The credentials correspond to a subset of the credential classes in the Azure Identity client library. This article describes the support for different TokenCredential types and how to configure the required key-value pairs for each type.

Support for Azure credentials through configuration

Microsoft.Extensions.Azure can automatically provide Azure service clients with a TokenCredential class by searching appsettings.json or other configuration files for credential values using the IConfiguration abstraction for .NET. This approach allows developers to explicitly set credential values across different environments through configuration rather than through app code directly.

The following credentials can be created via configuration:

Configure Azure credentials

Azure service clients registered with the AddAzureClients method are automatically configured with an instance of DefaultAzureCredential if no explicit credential is supplied via the WithCredential extension method. You can also override the global DefaultAzureCredential using credential values from configuration files when registering a client to create a specific credential:

builder.Services.AddAzureClients(clientBuilder =>
{
    // Register BlobServiceClient using credential from appsettings.json
    clientBuilder.AddBlobServiceClient(builder.Configuration.GetSection("Storage"));

    // Register ServiceBusClient using the fallback DefaultAzureCredential
    clientBuilder.AddServiceBusClientWithNamespace(
        "<your_namespace>.servicebus.windows.net");
});

The associated appsettings.json file:

"Storage": {
    "serviceUri": "<service_uri>",
    "credential": "managedidentity",
    "clientId": "<client_id>"
}

The following credentials also support the AdditionallyAllowedTenants property, which specifies Microsoft Entra tenants beyond the default tenant for which the credential can acquire tokens:

Add the wildcard value * to allow the credential to acquire tokens for any Microsoft Entra tenant the logged in account can access. If no tenant IDs are specified, this option has no effect on that authentication method, and the credential will acquire tokens for any requested tenant when using that method.

{
    "additionallyAllowedTenants": "<tenant_ids_separated_by_semicolon>"
}

Create an instance of ManagedIdentityCredential

You can configure a credential to utilize a managed identity in the following ways using configuration values:

  • System-assigned managed identity
  • User-assigned managed identity
  • Managed identity as a federated identity credential

To create an instance of Azure.Identity.ManagedIdentityCredential, add the following key-value pairs to your appsettings.json file.

System-assigned managed identity

{
    "credential": "managedidentity"
}

User-assigned managed identity

A user-assigned managed identity can be used by providing a client ID, resource ID, or object ID.

{
    "credential": "managedidentity",
    "managedIdentityClientId": "<managed_identity_client_id>"
}

Managed identity as a federated identity credential

The managed identity as a federated identity credential feature is supported in Microsoft.Extensions.Azure versions 1.12.0 and later. The feature doesn't work with system-assigned managed identity. The credential can be configured with a user-assigned managed identity by providing a client ID, resource ID, or object ID.

{
    "credential": "managedidentityasfederatedidentity",
    "azureCloud": "<azure_cloud>",
    "tenantId": "<tenant_id>",
    "clientId": "<client_id>",
    "managedIdentityClientId": "<managed_identity_client_id>"
}

The azureCloud key value is used to set the Microsoft Entra access token scope. It can be one of the following values:

  • public for Azure Public Cloud
  • usgov for Azure US Government Cloud
  • china for Azure operated by 21Vianet

Create an instance of AzurePipelinesCredential

To create an instance of Azure.Identity.AzurePipelinesCredential, add the following key-value pairs to your appsettings.json file:

{
    "credential": "azurepipelines",
    "clientId": "<client_id>",
    "tenantId": "<tenant_id>",
    "serviceConnectionId": "<service_connection_id>",
    "systemAccessToken": "<system_access_token>"
}

Important

AzurePipelinesCredential is supported in Microsoft.Extensions.Azure versions 1.11.0 and later.

Create an instance of WorkloadIdentityCredential

To create an instance of Azure.Identity.WorkloadIdentityCredential, add the following key-value pairs to your appsettings.json file:

{
    "credential": "workloadidentity",
    "tenantId": "<tenant_id>",
    "clientId": "<client_id>",
    "tokenFilePath": "<token_file_path>"
}

Create an instance of ClientSecretCredential

To create an instance of Azure.Identity.ClientSecretCredential, add the following key-value pairs to your appsettings.json file:

{
    "tenantId": "<tenant_id>",
    "clientId": "<client_id>",
    "clientSecret": "<client_secret>"
}

Create an instance of ClientCertificateCredential

To create an instance of Azure.Identity.ClientCertificateCredential, add the following key-value pairs to your appsettings.json file:

{
    "tenantId": "<tenant_id>",
    "clientId": "<client_id>",
    "clientCertificate": "<client_certificate>",
    "clientCertificateStoreLocation": "<client_certificate_store_location>"
}

Note

The clientCertificateStoreLocation key is optional. If the key:

Create an instance of DefaultAzureCredential

To create an instance of Azure.Identity.DefaultAzureCredential, add the following key-value pairs to your appsettings.json file:

{
    "tenantId": "<tenant_id>",
    "clientId": "<client_id>",
    "managedIdentityResourceId": "<managed_identity_resource_id>"
}