Azure authentication with Java and Azure Identity

This article provides an overview of the Azure Identity library for Java, which provides Microsoft Entra token authentication support across the Azure SDK for Java. This library provides a set of TokenCredential implementations that you can use to construct Azure SDK clients that support Microsoft Entra token authentication.

The Azure Identity library currently supports:

• Azure authentication in Java development environments, which enables:
  • IDEA IntelliJ authentication, with the sign-in information retrieved from the Azure Toolkit for IntelliJ.
  • Azure CLI authentication, with the sign-in information saved in the Azure CLI
  • Azure Developer CLI authentication, with the sign-in information saved in the Azure Developer CLI
  • Azure PowerShell authentication, with the sign-in information saved in Azure PowerShell
• Authenticating applications hosted in Azure, which enables:
  • DefaultAzureCredential authentication
  • Managed Identity authentication
• Authentication with service principals, which enables:
  • Client Secret authentication
  • Client Certificate authentication
• Authentication with user credentials, which enables:
  • Interactive browser authentication
  • Device code authentication
  • Username/password authentication

Follow these links to learn more about the specifics of each of these authentication approaches. In the rest of this article, we introduce the commonly used DefaultAzureCredential and related subjects.

Add the Maven dependencies

To add the Maven dependency, include the following XML in the project's pom.xml file. Replace {version_number} with the latest stable release's version number, as shown on the Azure Identity library page.

<dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-identity</artifactId>
    <version>{version_number}</version>
</dependency>

Key concepts

There are two key concepts in understanding the Azure Identity library: the concept of a credential, and the most common implementation of that credential, DefaultAzureCredential.

A credential is a class that contains or can obtain the data needed for a service client to authenticate requests. Service clients across the Azure SDK accept credentials when they're constructed, and service clients use those credentials to authenticate requests to the service.

The Azure Identity library focuses on OAuth authentication with Microsoft Entra ID, and it offers various credential classes that can acquire a Microsoft Entra token to authenticate service requests. All of the credential classes in this library are implementations of the TokenCredential abstract class in azure-core, and you can use any of them to construct service clients that can authenticate with a TokenCredential.

DefaultAzureCredential is appropriate for most scenarios where the application is intended to ultimately run in the Azure Cloud. DefaultAzureCredential combines credentials that are commonly used to authenticate when deployed, with credentials that are used to authenticate in a development environment. For more information, including examples using DefaultAzureCredential, see the DefaultAzureCredential section of Authenticating Azure-hosted Java applications.

Examples

As noted in Use the Azure SDK for Java, the management libraries differ slightly. One of the ways they differ is that there are libraries for consuming Azure services, called client libraries, and libraries for managing Azure services, called management libraries. In the following sections, there's a quick overview of authenticating in both client and management libraries.

Authenticate Azure client libraries

The following example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using DefaultAzureCredential.

// Azure SDK client builders accept the credential as a parameter.
SecretClient client = new SecretClientBuilder()
  .vaultUrl("https://<your Key Vault name>.vault.azure.net")
  .credential(new DefaultAzureCredentialBuilder().build())
  .buildClient();

Authenticate Azure management libraries

The Azure management libraries use the same credential APIs as the Azure client libraries, but also require an Azure subscription ID to manage the Azure resources on that subscription.

You can find the subscription IDs on the Subscriptions page in the Azure portal. Alternatively, use the following Azure CLI command to get subscription IDs:

az account list --output table

You can set the subscription ID in the AZURE_SUBSCRIPTION_ID environment variable. AzureProfile picks up this ID as the default subscription ID during the creation of a Manager instance in the following example:

AzureResourceManager azureResourceManager = AzureResourceManager.authenticate(
        new DefaultAzureCredentialBuilder().build(),
        new AzureProfile(AzureEnvironment.AZURE))
    .withDefaultSubscription();

DefaultAzureCredential used in this example authenticates an AzureResourceManager instance using DefaultAzureCredential. You can also use other Token Credential implementations offered in the Azure Identity library in place of DefaultAzureCredential.

Troubleshooting

For guidance, see Troubleshoot Azure Identity authentication issues.

Next steps

This article introduced the Azure Identity functionality available in the Azure SDK for Java. It described DefaultAzureCredential as common and appropriate in many cases. The following articles describe other ways to authenticate using the Azure Identity library, and provide more information about DefaultAzureCredential:

• Azure authentication in development environments
• Authenticating applications hosted in Azure
• Authentication with service principals
• Authentication with user credentials