Skip to content

Set up Your Environment for Authentication

Jump to bottom
Rick Winter edited this page Sep 21, 2021 · 5 revisions

Table of contents

Configure DefaultAzureCredential

DefaultAzureCredential supports configuration through the DefaultAzureCredentialOptions and/or environment variables.

  • Setting environment variables AZURE_TENANT_ID, and AZURE_CLIENT_ID are necessary for DefaultAzureCredential to begin checking the environment configuration and look for one of the following additional environment variables in order to authenticate:
    • Setting environment variable AZURE_CLIENT_SECRET configures the DefaultAzureCredential to choose ClientSecretCredential.
    • Setting environment variable AZURE_CLIENT_CERTIFICATE_PATH configures the DefaultAzureCredential to choose ClientCertificateCredential if AZURE_CLIENT_SECRET is not set.
    • Setting environment variable AZURE_USERNAME configures the DefaultAzureCredential to choose UsernamePasswordCredential if AZURE_CLIENT_SECRET and AZURE_CLIENT_CERTIFICATE_PATH are not set.

Creating a Service Principal with the Azure CLI

Use the Azure CLI snippet below to create/get client secret credentials.

  • Create a service principal and configure its access to Azure resources:

    az ad sp create-for-rbac -n <your-application-name> --skip-assignment

    Output:

    {
    "appId": "generated-app-ID",
    "displayName": "dummy-app-name",
    "name": "http://dummy-app-name",
    "password": "random-password",
    "tenant": "tenant-ID"
}

  • Run az ad sp create-for-rbac -n <your-application-name> --skip-assignment --cert <cert-name> --create-cert to create a service principal along with a certificate.

  • Use the returned credentials above to set AZURE_CLIENT_ID(appId), AZURE_CLIENT_SECRET(password) and AZURE_TENANT_ID(tenant) environment variables.

Enable applications for device code flow

In order to authenticate a user through device code flow, you need to go to Azure Active Directory on Azure Portal and find you app registration and enable the following 2 configurations:

device code enable

This will let the application authenticate, but the application still doesn't have permission to log you into Active Directory, or access resources on your behalf. Open API Permissions, and enable Microsoft Graph, and the resources you want to access, e.g., Azure Service Management, Key Vault, etc:

device code permissions

Note that you also need to be the admin of your tenant to grant consent to your application when you login for the first time. Also note after 2018 your Active Directory may require your application to be multi-tenant. Select "Accounts in any organizational directory" under Authentication panel (where you enabled Device Code) to make your application a multi-tenant app.

Enable applications for interactive browser oauth 2 flow

You need to register an application in Azure Active Directory with permissions to login on behalf of a user to use InteractiveBrowserCredential. Follow all the steps above for device code flow to register your application to support logging you into Active Directory and access certain resources. Note the same limitations apply that an admin of your tenant must grant consent to your application before any user account can login.

You may notice in InteractiveBrowserCredentialOptions, a port number can be specified, and you need to add the redirect URL on this page too:

interactive redirect uri

In this case, the port number is 8765.

Enable applications for oauth 2 auth code flow

You need the same application registered as in Enable applications for interactive browser oauth 2 flow, except that the redirect URL must be an API endpoint on your web application where the auth code must be handled as a query parameter.

Sign in Azure CLI for AzureCLICredential

Sign in Azure CLI with command

az login

as a user, or

az login --service-principal --username <client-id> --password <client-secret> --tenant <tenant-id>

as a service principal.

If the account / service principal has access to multiple tenants, make sure the desired tenant or subscription is in the state "Enabled" in the output from command:

az account list

Before you use AzureCLICredential in the code, run

az account get-access-token

to verify the account has been successfully configured.

You may have to repeat this process after a certain period (usually a few weeks to a few months based on the refresh token validity configured in your organization). AzureCLICredential will prompt you to sign in again.

Enable managed identity for Azure resources

Cloud shell

A system assigned managed identity is enabled by default in Azure Cloud Shell.

Virtual machines, App Services, Function Apps

Go to Azure Portal and navigate to your resource. You should see an "Identity" tab:

azure portal managed identity

You will be able to configure either system assigned or user assigned identities. For user assigned identities, the client ID of the managed identity must be used to create the ManagedIdentityCredential or DefaultAzureCredential.

Kubernetes Services (AKS)

Only user assigned identities are currently supported in AKS with the AAD Pod Identity plugin. Please follow the instructions in the repo as it may change between versions.

Clone this wiki locally