This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 53%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETW%3C/text%3E%3C/svg%3E)
https://github.com/microsoft/mcp/issues/1030
# AZURE_TOKEN_CREDENTIALS environment variable not respected - ManagedIdentityCredential never attempted
## Summary
The `AZURE_TOKEN_CREDENTIALS` environment variable (introduced in PR #56) is not being respected at runtime. Despite setting `AZURE_TOKEN_CREDENTIALS="prod"` or `AZURE_TOKEN_CREDENTIALS="ManagedIdentityCredential"`, the credential chain always falls through to `InteractiveBrowserCredential`, which fails in server environments (Azure Web App, Function Apps, Container Apps).
This prevents the use of Managed Identity authentication in production Azure hosting environments, which is a critical blocker for enterprise deployments.
## Environment
- **Package**: `@azure/mcp@1.0.0` (published October 30, 2025)
- **Platform**: Azure Web App for Linux (Node.js 20 LTS)
- **Managed Identity**: User-Assigned Managed Identity configured and assigned to Web App
- **Permissions**: Database Admin role on Azure Data Explorer cluster (verified working with other apps)
- **Runtime**: Node.js spawning MCP server via `npx -y @azure/mcp@1 server start --namespace kusto --read-only`
## Expected Behavior
According to PR #56 documentation and code (lines 18-24 of `CustomChainedCredential.cs`):
```csharp
/// The credential chain behavior can be controlled via the AZURE_TOKEN_CREDENTIALS environment variable:
/// - "dev": Visual Studio → Visual Studio Code → Azure CLI → Azure PowerShell → Azure Developer CLI
/// - "prod": Environment → Workload Identity → Managed Identity
/// - Specific credential name (e.g., "AzureCliCredential"): Only that credential
When AZURE_TOKEN_CREDENTIALS="prod" is set, the credential chain should be:
When AZURE_TOKEN_CREDENTIALS="ManagedIdentityCredential" is set, only ManagedIdentityCredential should be attempted.
The credential chain always ignores the AZURE_TOKEN_CREDENTIALS environment variable and falls through to InteractiveBrowserCredential:
Error: The ChainedTokenCredential failed due to an unhandled exception:
InteractiveBrowserCredential authentication failed: Persistence check failed.
The error message suggests that ManagedIdentityCredential and WorkloadIdentityCredential were never attempted, as the chain fell all the way to the interactive browser credential (which cannot work in server environments without a GUI).
az login): WORKS - Uses AzureCliCredential from "dev" chainAZURE_TOKEN_CREDENTIALS="prod"): FAILS "prod" chain not activated, falls to InteractiveBrowserCredentialThis proves:
AZURE_TOKEN_CREDENTIALS="prod" being set# Create User-Assigned Managed Identity
az identity create --name myapp-mi --resource-group my-rg
# Create Azure Web App with Node.js 20
az webapp create --name myapp --resource-group my-rg --plan myplan --runtime "NODE:20-lts"
# Assign Managed Identity to Web App
az webapp identity assign --name myapp --resource-group my-rg \
--identities /subscriptions/{sub-id}/resourcegroups/my-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myapp-mi
# Grant permissions to Azure Data Explorer (or any Azure resource)
az webapp config appsettings set --name myapp --resource-group my-rg --settings \
AZURE_CLIENT_ID="
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hello Ting Wei Lim,
MCP reverts to InteractiveBrowserCredential, ignoring ManagedIdentityCredential, even if you change AZURE_TOKEN_CREDENTIALS="prod" or "ManagedIdentityCredential" since the value does not reach the.NET process that Node.js launched (npx @azure/mcp).
Hence as a workaround, set these environment variables to force the use of Managed Identity:
AZURE_CLIENT_ID=<your-managed-identity-client-id>
AZURE_TENANT_ID=<your-tenant-id>
AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/
By doing this, EnvironmentCredential is enabled and Managed Identity authentication will be successful.
Let me know if any further queries - feel free to reach out!
Hello Ting Wei Lim,
Interactive Browser credential is the standard default fallback.
As discussed offline, Azure MCP server team is working on the issue and they will push the fix by this week.
https://github.com/microsoft/mcp/issues/1030
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.