DefaultAzureCredential Class

A default credential capable of handling most Azure SDK authentication scenarios.

The identity it uses depends on the environment. When an access token is needed, it requests one using these identities in turn, stopping when one provides a token:

  1. A service principal configured by environment variables. See EnvironmentCredential for more details.

  2. An Azure managed identity. See ManagedIdentityCredential for more details.

  3. On Windows only: a user who has signed in with a Microsoft application, such as Visual Studio. If multiple identities are in the cache, then the value of the environment variable AZURE_USERNAME is used to select which identity to use. See SharedTokenCacheCredential for more details.

  4. The user currently signed in to Visual Studio Code.

  5. The identity currently logged in to the Azure CLI.

  6. The identity currently logged in to Azure PowerShell.

This default behavior is configurable with keyword arguments.

Inheritance
azure.identity._credentials.chained.ChainedTokenCredential
DefaultAzureCredential

Constructor

DefaultAzureCredential(**kwargs: Any)

Parameters

authority
str

Authority of an Azure Active Directory endpoint, for example 'login.microsoftonline.com', the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds. Managed identities ignore this because they reside in a single cloud.

exclude_cli_credential
bool

Whether to exclude the Azure CLI from the credential. Defaults to False.

exclude_environment_credential
bool

Whether to exclude a service principal configured by environment variables from the credential. Defaults to False.

exclude_managed_identity_credential
bool

Whether to exclude managed identity from the credential. Defaults to False.

exclude_powershell_credential
bool

Whether to exclude Azure PowerShell. Defaults to False.

exclude_visual_studio_code_credential
bool

Whether to exclude stored credential from VS Code. Defaults to False.

exclude_shared_token_cache_credential
bool

Whether to exclude the shared token cache. Defaults to False.

exclude_interactive_browser_credential
bool

Whether to exclude interactive browser authentication (see InteractiveBrowserCredential). Defaults to True.

interactive_browser_tenant_id
str

Tenant ID to use when authenticating a user through InteractiveBrowserCredential. Defaults to the value of environment variable AZURE_TENANT_ID, if any. If unspecified, users will authenticate in their home tenants.

managed_identity_client_id
str

The client ID of a user-assigned managed identity. Defaults to the value of the environment variable AZURE_CLIENT_ID, if any. If not specified, a system-assigned identity will be used.

interactive_browser_client_id
str

The client ID to be used in interactive browser credential. If not specified, users will authenticate to an Azure development application.

shared_cache_username
str

Preferred username for SharedTokenCacheCredential. Defaults to the value of environment variable AZURE_USERNAME, if any.

shared_cache_tenant_id
str

Preferred tenant for SharedTokenCacheCredential. Defaults to the value of environment variable AZURE_TENANT_ID, if any.

visual_studio_code_tenant_id
str

Tenant ID to use when authenticating with VisualStudioCodeCredential. Defaults to the "Azure: Tenant" setting in VS Code's user settings or, when that setting has no value, the "organizations" tenant, which supports only Azure Active Directory work or school accounts.

Methods

get_token

Request an access token for scopes.

This method is called automatically by Azure SDK clients.

get_token

Request an access token for scopes.

This method is called automatically by Azure SDK clients.

get_token(*scopes: str, **kwargs: Any) -> AccessToken

Parameters

scopes
str
Required

desired scopes for the access token. This method requires at least one scope.

tenant_id
str

optional tenant to include in the token request.

Return type

Exceptions

authentication failed. The exception has a message attribute listing each authentication attempt and its error message.