Create Microsoft Entra credential types using configuration files
The Microsoft.Extensions.Azure library supports creating different Azure.Core.TokenCredential types from key-value pairs defined in appsettings.json and other configuration files. The credential types correspond to a subset of the credential classes in the Azure Identity client library. This article describes the support for different TokenCredential types and how to configure the required key-value pairs for each type.
Support for Azure credentials through configuration
The Microsoft.Extensions.Azure library can automatically provide Azure service clients with a TokenCredential class by searching appsettings.json or other configuration files for credential values using the IConfiguration abstraction for .NET. This approach allows developers to explicitly set credential values across different environments through configuration rather than through app code directly.
The following credential types are supported via configuration:
- ClientCertificateCredential
- ClientSecretCredential
- DefaultAzureCredential
- ManagedIdentityCredential
- WorkloadIdentityCredential
Configure Azure credentials
Azure service clients registered with the AddAzureClients method are automatically configured with an instance of DefaultAzureCredential if no explicit credential is supplied via the WithCredential extension method. You can also override the global DefaultAzureCredential using credential values from configuration files when registering a client to create a specific credential type:
builder.Services.AddAzureClients(clientBuilder =>
{
// Register BlobServiceClient using credentials from appsettings.json
clientBuilder.AddBlobServiceClient(builder.Configuration.GetSection("Storage"));
// Register ServiceBusClient using the fallback DefaultAzureCredential credentials
clientBuilder.AddServiceBusClientWithNamespace(
"<your_namespace>.servicebus.windows.net");
});
The associated appsettings.json file:
"Storage": {
"serviceUri": "<service_uri>",
"credential": "managedidentity",
"clientId": "<clientId>"
}
The following credential types also support the AdditionallyAllowedTenants property, which specifies additional Microsoft Entra tenants beyond the default tenant for which the credential may acquire tokens:
Add the wildcard value "*" to allow the credential to acquire tokens for any Microsoft Entra tenant the logged in account can access. If no tenant IDs are specified, this option will have no effect on that authentication method, and the credential will acquire tokens for any requested tenant when using that method.
{
"additionallyAllowedTenants": "<tenant-ids-separated-by-semicolon>"
}
Create a ManagedIdentityCredential type
You can create both user-assigned and system-assigned managed identities using configuration values. Add the following key-value pairs to your appsettings.json file to create an instance of Azure.Identity.ManagedIdentityCredential.
User-assigned managed identities
Specify a user-assigned managed identity via a client ID:
{
"credential": "managedidentity",
"clientId": "<clientId>"
}
Alternatively, specify a user-assigned managed identity via a resource ID:
{
"credential": "managedidentity",
"managedIdentityResourceId": "<managedIdentityResourceId>"
}
The resource ID takes the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}.
System-assigned managed identities
{
"credential": "managedidentity"
}
Create a WorkloadIdentityCredential type
Add the following key-value pairs to your appsettings.json file to create an Azure.Identity.WorkloadIdentityCredential:
{
"credential": "workloadidentity",
"tenantId": "<tenantId>",
"clientId": "<clientId>",
"tokenFilePath": "<tokenFilePath>"
}
Create a ClientSecretCredential type
Add the following key-value pairs to your appsettings.json file to create an Azure.Identity.ClientSecretCredential:
{
"tenantId": "<tenantId>",
"clientId": "<clientId>",
"clientSecret": "<clientSecret>"
}
Create a ClientCertificateCredential type
Add the following key-value pairs to your appsettings.json file to create an Azure.Identity.ClientCertificateCredential:
{
"tenantId": "<tenantId>",
"clientId": "<clientId>",
"clientCertificate": "<clientCertificate>",
"clientCertificateStoreLocation": "<clientCertificateStoreLocation>",
"additionallyAllowedTenants": "<tenant-ids-separated-by-semicolon>"
}
Note
The clientCertificateStoreLocation and additionallyAllowedTenants key-value pairs are optional. If the keys are present and have empty values, they are ignored. If no clientCertificateStoreLocation is specified, the default CurrentUser is used from the X509Credentials.StoreLocation enum.
Create a DefaultAzureCredential type
Add the following key-value pairs to your appsettings.json file to create an Azure.Identity.DefaultAzureCredential:
{
"tenantId": "<tenantId>",
"clientId": "<clientId>",
"managedIdentityResourceId": "<managedIdentityResourceId>"
}
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for