CertificateCredential Class

Authenticates as a service principal using a certificate.

The certificate must have an RSA private key, because this credential signs assertions using RS256. See Microsoft Entra ID documentation for more information on configuring certificate authentication.

Inheritance
azure.identity._internal.client_credential_base.ClientCredentialBase
CertificateCredential

Constructor

CertificateCredential(tenant_id: str, client_id: str, certificate_path: str | None = None, **kwargs: Any)

Parameters

tenant_id
str
Required

ID of the service principal's tenant. Also called its "directory" ID.

client_id
str
Required

The service principal's client ID

certificate_path
str
default value: None

Optional path to a certificate file in PEM or PKCS12 format, including the private key. If not provided, certificate_data is required.

authority
str

Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.

certificate_data
bytes

The bytes of a certificate in PEM or PKCS12 format, including the private key

password
str or bytes

The certificate's password. If a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass appropriately encoded bytes instead.

send_certificate_chain
bool

If True, the credential will send the public certificate chain in the x5c header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication. Defaults to False.

cache_persistence_options
TokenCachePersistenceOptions

Configuration for persistent token caching. If unspecified, the credential will cache tokens in memory.

disable_instance_discovery
bool

Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to True, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.

additionally_allowed_tenants
List[str]

Specifies tenants in addition to the specified "tenant_id" for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application can access.

Examples

Create a CertificateCredential.


   from azure.identity import CertificateCredential

   credential = CertificateCredential(
       tenant_id="<tenant_id>",
       client_id="<client_id>",
       certificate_path="<path to PEM/PKCS12 certificate>",
       password="<certificate password if necessary>",
   )

   # Certificate/private key byte data can also be passed directly
   credential = CertificateCredential(
       tenant_id="<tenant_id>",
       client_id="<client_id>",
       certificate_data=b"<cert data>",
   )

Methods

close
get_token

Request an access token for scopes.

This method is called automatically by Azure SDK clients.

close

close() -> None

get_token

Request an access token for scopes.

This method is called automatically by Azure SDK clients.

get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, **kwargs: Any) -> AccessToken

Parameters

scopes
str
Required

desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/azure/active-directory/develop/scopes-oidc.

claims
str

additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure.

tenant_id
str

optional tenant to include in the token request.

enable_cae
bool

indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.

Returns

An access token with the desired scopes.

Return type

Exceptions

the credential is unable to attempt authentication because it lacks required data, state, or platform support

authentication failed. The error's message attribute gives a reason.