Create Microsoft Entra credential types using configuration files
The Microsoft.Extensions.Azure
library supports creating different Azure.Core.TokenCredential types from key-value pairs defined in appsettings.json and other configuration files. The credential types correspond to a subset of the credential classes in the Azure Identity client library. This article describes the support for different TokenCredential
types and how to configure the required key-value pairs for each type.
Support for Azure credentials through configuration
The Microsoft.Extensions.Azure
library can automatically provide Azure service clients with a TokenCredential
class by searching appsettings.json or other configuration files for credential values using the IConfiguration
abstraction for .NET. This approach allows developers to explicitly set credential values across different environments through configuration rather than through app code directly.
The following credential types are supported via configuration:
- ClientCertificateCredential
- ClientSecretCredential
- DefaultAzureCredential
- ManagedIdentityCredential
- WorkloadIdentityCredential
Configure Azure credentials
Azure service clients registered with the AddAzureClients method are automatically configured with an instance of DefaultAzureCredential
if no explicit credential is supplied via the WithCredential extension method. You can also override the global DefaultAzureCredential
using credential values from configuration files when registering a client to create a specific credential type:
builder.Services.AddAzureClients(clientBuilder =>
{
// Register BlobServiceClient using credentials from appsettings.json
clientBuilder.AddBlobServiceClient(builder.Configuration.GetSection("Storage"));
// Register ServiceBusClient using the fallback DefaultAzureCredential credentials
clientBuilder.AddServiceBusClientWithNamespace(
"<your_namespace>.servicebus.windows.net");
});
The associated appsettings.json file:
"Storage": {
"serviceUri": "<service_uri>",
"credential": "managedidentity",
"clientId": "<clientId>"
}
The following credential types also support the AdditionallyAllowedTenants
property, which specifies additional Microsoft Entra tenants beyond the default tenant for which the credential may acquire tokens:
Add the wildcard value "*" to allow the credential to acquire tokens for any Microsoft Entra tenant the logged in account can access. If no tenant IDs are specified, this option will have no effect on that authentication method, and the credential will acquire tokens for any requested tenant when using that method.
{
"additionallyAllowedTenants": "<tenant-ids-separated-by-semicolon>"
}
Create a ManagedIdentityCredential
type
You can create both user-assigned and system-assigned managed identities using configuration values. Add the following key-value pairs to your appsettings.json file to create an instance of Azure.Identity.ManagedIdentityCredential.
User-assigned managed identities
Specify a user-assigned managed identity via a client ID:
{
"credential": "managedidentity",
"clientId": "<clientId>"
}
Alternatively, specify a user-assigned managed identity via a resource ID:
{
"credential": "managedidentity",
"managedIdentityResourceId": "<managedIdentityResourceId>"
}
The resource ID takes the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}
.
System-assigned managed identities
{
"credential": "managedidentity"
}
Create a WorkloadIdentityCredential
type
Add the following key-value pairs to your appsettings.json file to create an Azure.Identity.WorkloadIdentityCredential:
{
"credential": "workloadidentity",
"tenantId": "<tenantId>",
"clientId": "<clientId>",
"tokenFilePath": "<tokenFilePath>"
}
Create a ClientSecretCredential
type
Add the following key-value pairs to your appsettings.json file to create an Azure.Identity.ClientSecretCredential:
{
"tenantId": "<tenantId>",
"clientId": "<clientId>",
"clientSecret": "<clientSecret>"
}
Create a ClientCertificateCredential
type
Add the following key-value pairs to your appsettings.json file to create an Azure.Identity.ClientCertificateCredential:
{
"tenantId": "<tenantId>",
"clientId": "<clientId>",
"clientCertificate": "<clientCertificate>",
"clientCertificateStoreLocation": "<clientCertificateStoreLocation>",
"additionallyAllowedTenants": "<tenant-ids-separated-by-semicolon>"
}
Note
The clientCertificateStoreLocation
and additionallyAllowedTenants
key-value pairs are optional. If the keys are present and have empty values, they are ignored. If no clientCertificateStoreLocation
is specified, the default CurrentUser
is used from the X509Credentials.StoreLocation enum.
Create a DefaultAzureCredential
type
Add the following key-value pairs to your appsettings.json file to create an Azure.Identity.DefaultAzureCredential:
{
"tenantId": "<tenantId>",
"clientId": "<clientId>",
"managedIdentityResourceId": "<managedIdentityResourceId>"
}
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for