DefaultAzureCredential Class

A credential capable of handling most Azure SDK authentication scenarios. See https://aka.ms/azsdk/python/identity/credential-chains#usage-guidance-for-defaultazurecredential.

The identity it uses depends on the environment. When an access token is needed, it requests one using these identities in turn, stopping when one provides a token:

  1. A service principal configured by environment variables. See EnvironmentCredential for more details.

  2. WorkloadIdentityCredential if environment variable configuration is set by the Azure workload identity webhook.

  3. An Azure managed identity. See ManagedIdentityCredential for more details.

  4. On Windows only: a user who has signed in with a Microsoft application, such as Visual Studio. If multiple identities are in the cache, then the value of the environment variable AZURE_USERNAME is used to select which identity to use. See SharedTokenCacheCredential for more details.

  5. The identity currently logged in to the Azure CLI.

  6. The identity currently logged in to Azure PowerShell.

  7. The identity currently logged in to the Azure Developer CLI.

This default behavior is configurable with keyword arguments.

Inheritance
azure.identity.aio._credentials.chained.ChainedTokenCredential
DefaultAzureCredential

Constructor

DefaultAzureCredential(**kwargs: Any)

Keyword-Only Parameters

Name Description
authority
str

Authority of a Microsoft Entra endpoint, for example 'login.microsoftonline.com', the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds. Managed identities ignore this because they reside in a single cloud.

exclude_workload_identity_credential

Whether to exclude the workload identity from the credential. Defaults to False.

exclude_developer_cli_credential

Whether to exclude the Azure Developer CLI from the credential. Defaults to False.

exclude_cli_credential

Whether to exclude the Azure CLI from the credential. Defaults to False.

exclude_environment_credential

Whether to exclude a service principal configured by environment variables from the credential. Defaults to False.

exclude_powershell_credential

Whether to exclude Azure PowerShell. Defaults to False.

exclude_visual_studio_code_credential

Whether to exclude stored credential from VS Code. Defaults to True.

exclude_managed_identity_credential

Whether to exclude managed identity from the credential. Defaults to False.

exclude_shared_token_cache_credential

Whether to exclude the shared token cache. Defaults to False.

managed_identity_client_id
str

The client ID of a user-assigned managed identity. Defaults to the value of the environment variable AZURE_CLIENT_ID, if any. If not specified, a system-assigned identity will be used.

workload_identity_client_id
str

The client ID of an identity assigned to the pod. Defaults to the value of the environment variable AZURE_CLIENT_ID, if any. If not specified, the pod's default identity will be used.

workload_identity_tenant_id
str

Preferred tenant for WorkloadIdentityCredential. Defaults to the value of environment variable AZURE_TENANT_ID, if any.

shared_cache_username
str

Preferred username for SharedTokenCacheCredential. Defaults to the value of environment variable AZURE_USERNAME, if any.

shared_cache_tenant_id
str

Preferred tenant for SharedTokenCacheCredential. Defaults to the value of environment variable AZURE_TENANT_ID, if any.

visual_studio_code_tenant_id
str

Tenant ID to use when authenticating with VisualStudioCodeCredential. Defaults to the "Azure: Tenant" setting in VS Code's user settings or, when that setting has no value, the "organizations" tenant, which supports only Azure Active Directory work or school accounts.

process_timeout
int

The timeout in seconds to use for developer credentials that run subprocesses (e.g. AzureCliCredential, AzurePowerShellCredential). Defaults to 10 seconds.

Examples

Create a DefaultAzureCredential.


   from azure.identity.aio import DefaultAzureCredential

   credential = DefaultAzureCredential()

Methods

close

Close the transport sessions of all credentials in the chain.

get_token

Asynchronously request an access token for scopes.

This method is called automatically by Azure SDK clients.

get_token_info

Asynchronously request an access token for scopes.

This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.

close

Close the transport sessions of all credentials in the chain.

async close() -> None

get_token

Asynchronously request an access token for scopes.

This method is called automatically by Azure SDK clients.

async get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, **kwargs: Any) -> AccessToken

Parameters

Name Description
scopes
Required
str

desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword-Only Parameters

Name Description
claims
str

additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure.

tenant_id
str

optional tenant to include in the token request.

Returns

Type Description

An access token with the desired scopes.

Exceptions

Type Description

authentication failed. The exception has a message attribute listing each authentication attempt and its error message.

get_token_info

Asynchronously request an access token for scopes.

This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.

async get_token_info(*scopes: str, options: TokenRequestOptions | None = None) -> AccessTokenInfo

Parameters

Name Description
scopes
Required
str

desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword-Only Parameters

Name Description
options

A dictionary of options for the token request. Unknown options will be ignored. Optional.

Returns

Type Description
<xref:AccessTokenInfo>

An AccessTokenInfo instance containing information about the token.

Exceptions

Type Description

authentication failed. The exception has a message attribute listing each authentication attempt and its error message.