[Management] Authentication
Being authenticated to Azure requires the following information:
- Credential - This can be a username / password combination, or a service principal.
- Tenant - This is usually the email address domain registered for the subscription. E.g., contoso.com. There's also a UUID associated with each tenant.
- Environment - There are 4 pre-defined Azure environments as of today, public cloud, China cloud, US government cloud, and German cloud. Azure stacks also have their own environments.
After providing these information you will be able to see your subscriptions. By selecting a subscription, you will have full access to Azure Resource Manager.
MSAL integrates with the Microsoft identity platform (v2.0) endpoint.
In the Azure Management Libraries for Java, MSAL is supported via the Azure Identity library.
For most scenarios, DefaultAzureCredential is the recommended approach as it combines credentials commonly used to authenticate when deployed, with credentials used to authenticate in a development environment. It will attempt to authenticate via the following mechanisms in order
- Environment - The
DefaultAzureCredentialwill read account information specified via environment variables and use it to authenticate. - Managed Identity - If the application is deployed to an Azure host with Managed Identity enabled, the
DefaultAzureCredentialwill authenticate with that account. - IntelliJ - If the developer has authenticated via Azure Toolkit for IntelliJ, the
DefaultAzureCredentialwill authenticate with that account. - Visual Studio Code - If the developer has authenticated via the Visual Studio Code Azure Account plugin, the
DefaultAzureCredentialwill authenticate with that account. - Azure CLI - If the developer has authenticated an account via the Azure CLI
az logincommand, theDefaultAzureCredentialwill authenticate with that account.
The following code snippet demonstrates how to authenticate to Azure using the DefaultAzureCredential
AzureProfile profile = new AzureProfile(AzureEnvironment.AZURE); // Assume Global Cloud is used
AzureResourceManager azureResourceManager = AzureResourceManager
.authenticate(new DefaultAzureCredentialBuilder().build(), profile)
.withDefaultSubscription();Please note that for the code snippets above, the management libraries require a subscription ID and a tenant ID, which can be configured via environment variable as AZURE_SUBSCRIPTION_ID and AZURE_TENANT_ID, or via an alternative constructor of AzureProfile.
See Azure Identity Credential Types for all of the available developer credentials.
As noted above, DefaultAzureCredential will attempt to authenticate with Managed Identity via the ManagedIdentityCredential, but you can also explicitly use it like this:
AzureProfile profile = new AzureProfile(AzureEnvironment.AZURE); // Assume Global Cloud is used
TokenCredential credential = new ManagedIdentityCredentialBuilder()
.build();
AzureResourceManager azureResourceManager = AzureResourceManager
.authenticate(credential, profile)
.withDefaultSubscription();A service principal, by definition, is a local representation of an AD application in your tenant. A service principal, just like a user, or a group, can be assigned with permissions in AD and roles in Azure.
A service principal can authenticate to AD and Azure non-interactively. Password and certificate credentials can be added to or revoked from a service principal. They also come with an expiration date!