install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/microsoft/skills/azure-identity-py" ~/.claude/skills/comeonoliver-skillshub-azure-identity-py-991482 && rm -rf "$T"
manifest:
skills/microsoft/skills/azure-identity-py/SKILL.mdsource content
Azure Identity SDK for Python
Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).
Installation
pip install azure-identity
Environment Variables
# Service Principal (for production/CI) AZURE_TENANT_ID=<your-tenant-id> AZURE_CLIENT_ID=<your-client-id> AZURE_CLIENT_SECRET=<your-client-secret> # User-assigned Managed Identity (optional) AZURE_CLIENT_ID=<managed-identity-client-id>
DefaultAzureCredential
The recommended credential for most scenarios. Tries multiple authentication methods in order:
from azure.identity import DefaultAzureCredential from azure.storage.blob import BlobServiceClient # Works in local dev AND production without code changes credential = DefaultAzureCredential() client = BlobServiceClient( account_url="https://<account>.blob.core.windows.net", credential=credential )
Credential Chain Order
| Order | Credential | Environment |
|---|---|---|
| 1 | EnvironmentCredential | CI/CD, containers |
| 2 | WorkloadIdentityCredential | Kubernetes |
| 3 | ManagedIdentityCredential | Azure VMs, App Service, Functions |
| 4 | SharedTokenCacheCredential | Windows only |
| 5 | VisualStudioCodeCredential | VS Code with Azure extension |
| 6 | AzureCliCredential | |
| 7 | AzurePowerShellCredential | |
| 8 | AzureDeveloperCliCredential | |
Customizing DefaultAzureCredential
# Exclude credentials you don't need credential = DefaultAzureCredential( exclude_environment_credential=True, exclude_shared_token_cache_credential=True, managed_identity_client_id="<user-assigned-mi-client-id>" # For user-assigned MI ) # Enable interactive browser (disabled by default) credential = DefaultAzureCredential( exclude_interactive_browser_credential=False )
Specific Credential Types
ManagedIdentityCredential
For Azure-hosted resources (VMs, App Service, Functions, AKS):
from azure.identity import ManagedIdentityCredential # System-assigned managed identity credential = ManagedIdentityCredential() # User-assigned managed identity credential = ManagedIdentityCredential( client_id="<user-assigned-mi-client-id>" )
ClientSecretCredential
For service principal with secret:
from azure.identity import ClientSecretCredential credential = ClientSecretCredential( tenant_id=os.environ["AZURE_TENANT_ID"], client_id=os.environ["AZURE_CLIENT_ID"], client_secret=os.environ["AZURE_CLIENT_SECRET"] )
AzureCliCredential
Uses the account from
az loginfrom azure.identity import AzureCliCredential credential = AzureCliCredential()
ChainedTokenCredential
Custom credential chain:
from azure.identity import ( ChainedTokenCredential, ManagedIdentityCredential, AzureCliCredential ) # Try managed identity first, fall back to CLI credential = ChainedTokenCredential( ManagedIdentityCredential(client_id="<user-assigned-mi-client-id>"), AzureCliCredential() )
Credential Types Table
| Credential | Use Case | Auth Method |
|---|---|---|
| Most scenarios | Auto-detect |
| Azure-hosted apps | Managed Identity |
| Service principal | Client secret |
| Service principal | Certificate |
| Local development | Azure CLI |
| Local development | Azure Developer CLI |
| User sign-in | Browser OAuth |
| Headless/SSH | Device code flow |
Getting Tokens Directly
from azure.identity import DefaultAzureCredential credential = DefaultAzureCredential() # Get token for a specific scope token = credential.get_token("https://management.azure.com/.default") print(f"Token expires: {token.expires_on}") # For Azure Database for PostgreSQL token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")
Async Client
from azure.identity.aio import DefaultAzureCredential from azure.storage.blob.aio import BlobServiceClient async def main(): credential = DefaultAzureCredential() async with BlobServiceClient( account_url="https://<account>.blob.core.windows.net", credential=credential ) as client: # ... async operations pass await credential.close()
Best Practices
- Use DefaultAzureCredential for code that runs locally and in Azure
- Never hardcode credentials — use environment variables or managed identity
- Prefer managed identity in production Azure deployments
- Use ChainedTokenCredential when you need a custom credential order
- Close async credentials explicitly or use context managers
- Set AZURE_CLIENT_ID for user-assigned managed identities
- Exclude unused credentials to speed up authentication