Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article lists additional methods that apps can use to authenticate to Azure resources. These methods are less commonly used. When possible, use one of the methods outlined in authenticating Go apps to Azure using the Azure SDK overview.
Interactive browser authentication
This method authenticates an application through InteractiveBrowserCredential by collecting user credentials in the default system.
Interactive browser authentication enables the application for all operations allowed by the interactive login credentials. As a result, if you're the owner or administrator of your subscription, your code has inherent access to most resources in that subscription without having to assign any specific permissions. For this reason, use interactive browser authentication only for experimentation.
Enable applications for interactive browser authentication
Perform the following steps to enable the application to authenticate through the interactive browser flow. These steps also work for device code authentication described later. You need to follow this process only if you're using InteractiveBrowserCredential in your code.
On the Azure portal, go to Microsoft Entra ID and select App registrations in the left-hand menu.
Select the registration for your app, and then select Authentication.
Under Advanced settings, select Yes for Allow public client flows.
Select Save to apply the changes.
To authorize the application for specific resources, go to the resource in question, select API Permissions, and enable Microsoft Graph and other resources you want to access. Microsoft Graph is usually enabled by default.
Important
You must also be the admin of your tenant to grant consent to your application when you sign in for the first time.
If you can't configure the device code flow option on your Microsoft Entra ID, your application might need to be multitenant. To make this change, go to the Authentication panel, select Accounts in any organizational directory (under Supported account types), and then select Yes for Allow public client flows.
Example using InteractiveBrowserCredential
The following example demonstrates using an InteractiveBrowserCredential to authenticate with the SubscriptionsClient in the armsubscription package:
package main
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription"
)
func main() {
cred, err := azidentity.NewInteractiveBrowserCredential(nil)
if err != nil {
// TODO: handle error
}
ctx := context.Background()
clientFactory, err := armsubscription.NewClientFactory(cred, nil)
if err != nil {
// TODO: handle error
}
res, err := clientFactory.NewSubscriptionsClient().Get(ctx, "<your_subscription_id>", nil)
if err != nil {
// TODO: handle error
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
}
For more exact control, such as setting redirect URIs, you can supply specific arguments such as RedirectURL to InteractiveBrowserCredential via the InteractiveBrowserCredentialOptions type.
Device code authentication
This method interactively authenticates a user on devices with limited UI (typically devices without a keyboard):
- When the application attempts to authenticate, the credential prompts the user with a URL and an authentication code.
- The user visits the URL on a separate browser-enabled device (a computer, smartphone, and so on) and enters the code.
- The user follows a normal authentication process in the browser.
- Upon successful authentication, the application is authenticated on the device.
For more information, see Microsoft identity platform and the OAuth 2.0 device authorization grant flow.
Device code authentication in a development environment enables the application for all operations allowed by the interactive sign-in credentials. As a result, if you're the owner or administrator of your subscription, your code has inherent access to most resources in that subscription without having to assign any specific permissions. However, you can use this method with a specific client ID, rather than the default, for which you can assign specific permissions.
Use the DeviceCodeCredential type from the azidentity package to implement device code authentication.