• Configure DefaultAzureCredential
• Creating a Service Principal with the Azure CLI
• Enable applications for device code flow
• Enable applications for interactive browser oauth 2 flow
• Enable applications for oauth 2 auth code flow
• Sign in Azure CLI for AzureCLICredential
• Enable managed identity for Azure resources

DefaultAzureCredential supports configuration through the DefaultAzureCredentialOptions and/or environment variables.

• Setting environment variables AZURE_TENANT_ID, and AZURE_CLIENT_ID are necessary for DefaultAzureCredential to begin checking the environment configuration and look for one of the following additional environment variables in order to authenticate:
  • Setting environment variable AZURE_CLIENT_SECRET configures the DefaultAzureCredential to choose ClientSecretCredential.
  • Setting environment variable AZURE_CLIENT_CERTIFICATE_PATH configures the DefaultAzureCredential to choose ClientCertificateCredential if AZURE_CLIENT_SECRET is not set.
  • Setting environment variable AZURE_USERNAME configures the DefaultAzureCredential to choose UsernamePasswordCredential if AZURE_CLIENT_SECRET and AZURE_CLIENT_CERTIFICATE_PATH are not set.

Use the Azure CLI snippet below to create/get client secret credentials.

• Create a service principal and configure its access to Azure resources:

  az ad sp create-for-rbac -n <your-application-name> --skip-assignment

  Output:

  {
      "appId": "generated-app-ID",
      "displayName": "dummy-app-name",
      "name": "http://dummy-app-name",
      "password": "random-password",
      "tenant": "tenant-ID"
  }

• Run az ad sp create-for-rbac -n <your-application-name> --skip-assignment --cert <cert-name> --create-cert to create a service principal along with a certificate.

• Use the returned credentials above to set AZURE_CLIENT_ID(appId), AZURE_CLIENT_SECRET(password) and AZURE_TENANT_ID(tenant) environment variables.

In order to authenticate a user through device code flow, you need to go to Azure Active Directory on Azure Portal and find you app registration and enable the following 2 configurations:

This will let the application authenticate, but the application still doesn't have permission to log you into Active Directory, or access resources on your behalf. Open API Permissions, and enable Microsoft Graph, and the resources you want to access, e.g., Azure Service Management, Key Vault, etc:

Note that you also need to be the admin of your tenant to grant consent to your application when you login for the first time. Also note after 2018 your Active Directory may require your application to be multi-tenant. Select "Accounts in any organizational directory" under Authentication panel (where you enabled Device Code) to make your application a multi-tenant app.

You need to register an application in Azure Active Directory with permissions to login on behalf of a user to use InteractiveBrowserCredential. Follow all the steps above for device code flow to register your application to support logging you into Active Directory and access certain resources. Note the same limitations apply that an admin of your tenant must grant consent to your application before any user account can login.

You may notice in InteractiveBrowserCredentialOptions, a port number can be specified, and you need to add the redirect URL on this page too:

In this case, the port number is 8765.

You need the same application registered as in Enable applications for interactive browser oauth 2 flow, except that the redirect URL must be an API endpoint on your web application where the auth code must be handled as a query parameter.

Sign in Azure CLI with command

az login

as a user, or

az login --service-principal --username <client-id> --password <client-secret> --tenant <tenant-id>

as a service principal.

If the account / service principal has access to multiple tenants, make sure the desired tenant or subscription is in the state "Enabled" in the output from command:

az account list

Before you use AzureCLICredential in the code, run

az account get-access-token

to verify the account has been successfully configured.

You may have to repeat this process after a certain period (usually a few weeks to a few months based on the refresh token validity configured in your organization). AzureCLICredential will prompt you to sign in again.

A system assigned managed identity is enabled by default in Azure Cloud Shell.

Go to Azure Portal and navigate to your resource. You should see an "Identity" tab:

You will be able to configure either system assigned or user assigned identities. For user assigned identities, the client ID of the managed identity must be used to create the ManagedIdentityCredential or DefaultAzureCredential.

Only user assigned identities are currently supported in AKS with the AAD Pod Identity plugin. Please follow the instructions in the repo as it may change between versions.