Authenticate .NET apps to Azure services during local development using service principals
บทความ
Developers need to debug and test cloud apps on their local workstation. When an app runs on a developer's workstation during local development, it must still authenticate to any Azure services used by the app. This article covers how to set up dedicated application service principal objects to be used during local development.
Dedicated application service principals for local development allow you to follow the principle of least privilege during app development. Since permissions are scoped to exactly what's needed for the app during development, app code is prevented from accidentally accessing an Azure resource intended for use by a different app. This also prevents bugs from occurring when the app is moved to production because the app was over-privileged in the dev environment.
An application service principal is set up for the app when the app is registered in Azure. When registering an app for local development, it's recommended to:
Create a separate app registration for each developer working on the app. This will create separate application service principals for each developer to use during local development and avoid the need for developers to share credentials for a single application service principal.
Create a separate app registration per app. This scopes the app's permissions to only what is needed by the app.
During local development, environment variables are set with the application service principal's identity. The Azure Identity library reads these environment variables and uses this information to authenticate the app to the Azure resources it needs.
1 - Register the application in Azure
Application service principal objects are created with an app registration in Azure. This can be done using either the Azure portal or Azure CLI.
Sign in to the Azure portal and follow these steps.
Instructions
Screenshot
In the Azure portal:
Enter app registrations in the search bar at the top of the Azure portal.
Select the item labeled App registrations under the Services heading on the menu that appears below the search bar.
On the App registrations page, select + New registration.
On the Register an application page, fill out the form as follows.
Name → Enter a name for the app registration in Azure. It's recommended this name include the app name, the user the app registration is for, and an identifier like 'dev' to indicate this app registration is for use in local development.
Supported account types → Accounts in this organizational directory only.
Select Register to register your app and create the application service principal.
On the App registration page for your app:
Application (client) ID → This is the app id the app will use to access Azure during local development. Copy this value to a temporary location in a text editor, as you'll need it in a future step.
Directory (tenant) id → This value will also be needed by your app when it authenticates to Azure. Copy this value to a temporary location in a text editor, as it will also be needed it in a future step.
Client credentials → You must set the client credentials for the app before your app can authenticate to Azure and use Azure services. Select Add a certificate or secret to add credentials for your app.
On the Certificates & secrets page, select + New client secret.
The Add a client secret dialog will pop out from the right-hand side of the page. In this dialog:
Description → Enter a value of Current.
Expires → Select a value of 24 months.
Select Add to add the secret.
On the Certificates & secrets page, you'll be shown the value of the client secret.
Copy this value to a temporary location in a text editor, as you'll need it in a future step.
IMPORTANT: This is the only time you will see this value. Once you leave or refresh this page, you won't be able to see this value again. You may add an additional client secret without invalidating this client secret, but you won't see this value again.
First, use the az ad sp create-for-rbac command to create a new service principal for the app. This will also create the app registration for the app at the same time.
az ad sp create-for-rbac \
--name {service-principal-name}
The output of this command resembles the following JSON:
Copy this output into a temporary file in a text editor, as you'll need these values in a future step. This is the only place you ever see the client secret (password) for the service principal. You can, however, add a new password later without invalidating the service principal or existing passwords, if needed.
2 - Create Microsoft Entra group for local development
Since there are typically multiple developers who work on an app, it's recommended to create a Microsoft Entra group to encapsulate the roles (permissions) the app needs in local development rather than assigning the roles to individual service principal objects. This approach offers the following advantages:
Every developer is assured to have the same roles assigned since roles are assigned at the group level.
If a new role is needed for the app, it only needs to be added to the group for the app.
If a new developer joins the team, a new application service principal is created for the developer and added to the group, assuring the developer has the right permissions to work on the app.
Navigate to the Microsoft Entra ID page in the Azure portal by typing Microsoft Entra ID into the search box at the top of the page. Select Microsoft Entra ID under the Services section.
On the Microsoft Entra ID page, select Groups from the left-hand menu.
On the All groups page, select New group.
On the New Group page:
Group type → Security
Group name → A name for the security group, typically created from the application name. It's also helpful to include a string like local-dev in the name of the group to indicate the purpose of the group.
Group description → A description of the purpose of the group.
Select the No members selected link under Members to add members to the group.
On the Add members dialog box:
Use the search box to filter the list of principal names in the list.
Select the application service principals for local development for this app. As objects are selected, they'll be greyed out and move to the Selected items list at the bottom of the dialog.
When finished, select the Select button.
Back on the New group page, select Create to create the group.
The group will be created and you'll be taken back to the All groups page. It may take up to 30 seconds for the group to appear. You may need to refresh the page due to caching in the Azure portal.
The az ad group create command is used to create groups in Microsoft Entra ID. The --display-name and --mail-nickname parameters are required. The name given to the group should be based on the name of the app. It's also useful to include a phrase like 'local-dev' in the group's name to indicate the group's purpose.
az ad group create \
--display-name MyDisplay \
--mail-nickname MyDisplay \
--description {group-description}
To add members to the group, you need the object ID of the application service principal, which is different than the application ID. Use the az ad sp list command to list the available service principals. The --filter parameter command accepts OData-style filters and can be used to filter the list as shown. The --query parameter limits columns to only those of interest.
az ad sp list \
--filter "startswith(displayName, 'msdocs')" \
--query "[].{objectId:objectId, displayName:displayName}" \
--output table
az ad group member add \
--group {group-name} \
--member-id {object-id}
3 - Assign roles to the application
Next, determine what roles (permissions) your app needs on what resources and assign those roles to your app. In this example, the roles will be assigned to the Microsoft Entra group created in step 2. Groups can be assigned a role at a resource, resource group, or subscription scope. This example shows how to assign roles at the resource group scope, since most apps group all their Azure resources into a single resource group.
Locate the resource group for your app by searching for the resource group name using the search box at the top of the Azure portal. Navigate to your resource group by selecting the resource group name under the Resource Groups heading in the dialog box.
On the page for the resource group, select Access control (IAM) from the left-hand menu.
On the Access control (IAM) page:
Select the Role assignments tab.
Select + Add from the top menu and then Add role assignment from the resulting drop-down menu.
The Add role assignment page lists all of the roles that can be assigned for the resource group.
Use the search box to filter the list to a more manageable size. This example shows how to filter for Storage Blob roles.
Select the role that you want to assign.
Select Next to go to the next screen.
The next Add role assignment page allows you to specify what user to assign the role to.
Select User, group, or service principal under Assign access to.
Select + Select members under Members.
A dialog box opens on the right-hand side of the Azure portal.
In the Select members dialog:
The Select text box can be used to filter the list of users and groups in your subscription. If needed, type the first few characters of the local development Microsoft Entra group you created for the app.
Select the local development Microsoft Entra group associated with your application.
Select Select at the bottom of the dialog to continue.
The Microsoft Entra group shows as selected on the Add role assignment screen. Select Review + assign to go to the final page and then Review + assign again to complete the process.
An application service principal is assigned a role in Azure using the az role assignment create command:
az role assignment create --assignee "{appId}" \
--role "{roleName}" \
--resource-group "{resourceGroupName}"
To get the role names that a service principal can be assigned to, use the az role definition list command:
az role definition list \
--query "sort_by([].{roleName:roleName, description:description}, &roleName)" \
--output table
For example, to allow the application service principal with the appId of 00000000-0000-0000-0000-000000000000 read, write, and delete access to Azure Storage blob containers and data to all storage accounts in the msdocs-dotnet-sdk-auth-example resource group, assign the application service principal to the Storage Blob Data Contributor role using the following command:
az role assignment create --assignee "00000000-0000-0000-0000-000000000000" \
--role "Storage Blob Data Contributor" \
--resource-group "msdocs-dotnet-sdk-auth-example"
At runtime, DefaultAzureCredential looks for the service principal information in a collection of environment variables. There are multiple ways to configure environment variables when working with .NET, depending on your tooling and environment.
Regardless of the approach you choose, configure the following environment variables when working with a service principal:
AZURE_CLIENT_ID → The app ID value.
AZURE_TENANT_ID → The tenant ID value.
AZURE_CLIENT_SECRET → The password/credential generated for the app.
When working locally with Visual Studio, environment variables can be set in the launchsettings.json file in the Properties folder of your project. When the app starts up, these values are pulled in automatically. Keep in mind, these configurations don't travel with your app when it's deployed, so you need to set up environment variables on your target hosting environment.
When working locally with Visual Studio Code, environment variables can be set in the launch.json file of your project. When the app starts up, these values will be pulled in automatically. Keep in mind, these configurations don't travel with your app when it's deployed, so you need to set up environment variables on your target hosting environment.
You can set environment variables for Windows from the command line. However, when using this approach, the values are accessible to all apps running on that operating system and may cause conflicts if you aren't careful. Environment variables can be set at the user or system level.
# Set user environment variables
setx ASPNETCORE_ENVIRONMENT "Development"
setx AZURE_CLIENT_ID "00000000-0000-0000-0000-000000000000"
setx AZURE_TENANT_ID "11111111-1111-1111-1111-111111111111"
setx AZURE_CLIENT_SECRET "=abcdefghijklmnopqrstuvwxyz"
# Set system environment variables - requires running as admin
setx ASPNETCORE_ENVIRONMENT "Development"
setx AZURE_CLIENT_ID "00000000-0000-0000-0000-000000000000" /m
setx AZURE_TENANT_ID "11111111-1111-1111-1111-111111111111" /m
setx AZURE_CLIENT_SECRET "=abcdefghijklmnopqrstuvwxyz" /m
PowerShell can also be used to set environment variables at the user or machine level:
# Set user environment variables
[Environment]::SetEnvironmentVariable("ASPNETCORE_ENVIRONMENT", "Development", "User")
[Environment]::SetEnvironmentVariable("AZURE_CLIENT_ID", "00000000-0000-0000-0000-000000000000", "User")
[Environment]::SetEnvironmentVariable("AZURE_TENANT_ID", "11111111-1111-1111-1111-111111111111", "User")
[Environment]::SetEnvironmentVariable("AZURE_CLIENT_SECRET", "=abcdefghijklmnopqrstuvwxyz", "User")
# Set system environment variables - requires running as admin
[Environment]::SetEnvironmentVariable("ASPNETCORE_ENVIRONMENT", "Development", "Machine")
[Environment]::SetEnvironmentVariable("AZURE_CLIENT_ID", "00000000-0000-0000-0000-000000000000", "Machine")
[Environment]::SetEnvironmentVariable("AZURE_TENANT_ID", "11111111-1111-1111-1111-111111111111", "Machine")
[Environment]::SetEnvironmentVariable("AZURE_CLIENT_SECRET", "=abcdefghijklmnopqrstuvwxyz", "Machine")
5 - Implement DefaultAzureCredential in your application
DefaultAzureCredential is an opinionated, ordered sequence of mechanisms for authenticating to Microsoft Entra ID. Each authentication mechanism is a class derived from the TokenCredential class and is known as a credential. At runtime, DefaultAzureCredential attempts to authenticate using the first credential. If that credential fails to acquire an access token, the next credential in the sequence is attempted, and so on, until an access token is successfully obtained. In this way, your app can use different credentials in different environments without writing environment-specific code.
Right-click your project in Visual Studio's Solution Explorer window and select Manage NuGet Packages. Search for Azure.Identity, and install the matching package. Repeat this process for the Microsoft.Extensions.Azure package.
Azure services are accessed using specialized client classes from the various Azure SDK client libraries. These classes and your own custom services should be registered so they can be accessed via dependency injection throughout your app. In Program.cs, complete the following steps to register a client class and DefaultAzureCredential:
Include the Azure.Identity and Microsoft.Extensions.Azure namespaces via using directives.
Register the Azure service client using the corresponding Add-prefixed extension method.
Pass an instance of DefaultAzureCredential to the UseCredential method.
For example:
using Microsoft.Extensions.Azure;
using Azure.Identity;
builder.Services.AddAzureClients(clientBuilder =>
{
clientBuilder.AddBlobServiceClient(
new Uri("https://<account-name>.blob.core.windows.net"));
clientBuilder.UseCredential(new DefaultAzureCredential());
});
An alternative to UseCredential is to instantiate DefaultAzureCredential directly:
using Azure.Identity;
builder.Services.AddSingleton<BlobServiceClient>(_ =>
new BlobServiceClient(
new Uri("https://<account-name>.blob.core.windows.net"),
new DefaultAzureCredential()));
When the preceding code runs on your local development workstation, it looks in the environment variables for an application service principal or at locally installed developer tools, such as Visual Studio, for a set of developer credentials. Either approach can be used to authenticate the app to Azure resources during local development.
When deployed to Azure, this same code can also authenticate your app to other Azure resources. DefaultAzureCredential can retrieve environment settings and managed identity configurations to authenticate to other services automatically.