Class EnvironmentCredential

Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user with a username and password.

Configuration is attempted in this order, using these environment variables:

Service principal with secret:

Variable	Description
AZURE_TENANT_ID	The Microsoft Entra tenant (directory) ID.
AZURE_CLIENT_ID	The client (application) ID of an App Registration in the tenant.
AZURE_CLIENT_SECRET	A client secret that was generated for the App Registration.

Service principal with certificate:

Variable	Description
AZURE_TENANT_ID	The Microsoft Entra tenant (directory) ID.
AZURE_CLIENT_ID	The client (application) ID of an App Registration in the tenant.
AZURE_CLIENT_CERTIFICATE_PATH	A path to certificate and private key pair in PEM or PFX format, which can authenticate the App Registration.
AZURE_CLIENT_CERTIFICATE_PASSWORD	(Optional) The password protecting the certificate file (currently only supported for PFX (PKCS12) certificates).
AZURE_CLIENT_SEND_CERTIFICATE_CHAIN	(Optional) Specifies whether an authentication request will include an x5c header to support subject name / issuer based authentication. When set to `true` or `1`, authentication requests include the x5c header.

Username and password:

Variable	Description
AZURE_TENANT_ID	The Microsoft Entra tenant (directory) ID.
AZURE_CLIENT_ID	The client (application) ID of an App Registration in the tenant.
AZURE_USERNAME	The username, also known as upn, of a Microsoft Entra user account.
AZURE_PASSWORD	The password of the Microsoft Entra user account. Note this does not support accounts with MFA enabled.

This credential ultimately uses a ClientSecretCredential, ClientCertificateCredential, or UsernamePasswordCredential to perform the authentication using these details. Please consult the documentation of that class for more details.

Inheritance

Azure.Core.TokenCredential

EnvironmentCredential

Namespace: System.Dynamic.ExpandoObject

Assembly: Azure.Identity.dll

Syntax

public class EnvironmentCredential : Azure.Core.TokenCredential

Constructors

EnvironmentCredential()

Creates an instance of the EnvironmentCredential class and reads client secret details from environment variables. If the expected environment variables are not found at this time, the GetToken method will return the default Azure.Core.AccessToken when invoked.

Declaration

public EnvironmentCredential ();

EnvironmentCredential(EnvironmentCredentialOptions)

Declaration

public EnvironmentCredential (Azure.Identity.EnvironmentCredentialOptions options);

Parameters

EnvironmentCredentialOptions options

Options that allow to configure the management of the requests sent to Microsoft Entra ID.

EnvironmentCredential(TokenCredentialOptions)

Declaration

[System.ComponentModel.EditorBrowsable]
public EnvironmentCredential (Azure.Identity.TokenCredentialOptions options);

Parameters

TokenCredentialOptions options

Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Methods

GetToken(TokenRequestContext, CancellationToken)

Obtains a token from Microsoft Entra ID, using the client details specified in the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD to authenticate. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

Declaration

public override Azure.Core.AccessToken GetToken (Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken = null);

Parameters

Azure.Core.TokenRequestContext requestContext

The details of the authentication request.

System.Threading.CancellationToken cancellationToken

A System.Threading.CancellationToken controlling the request lifetime.

Returns

Azure.Core.AccessToken

An Azure.Core.AccessToken which can be used to authenticate service client calls.

Remarks

If the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET are not specified, the default Azure.Core.AccessToken

Exceptions

AuthenticationFailedException

Thrown when the authentication failed.

CredentialUnavailableException

Thrown when the credential is unavailable because the environment is not properly configured.

GetTokenAsync(TokenRequestContext, CancellationToken)

Declaration

[System.Diagnostics.DebuggerStepThrough]
public override System.Threading.Tasks.ValueTask<Azure.Core.AccessToken> GetTokenAsync (Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken = null);

Parameters

Azure.Core.TokenRequestContext requestContext

The details of the authentication request.

System.Threading.CancellationToken cancellationToken

A System.Threading.CancellationToken controlling the request lifetime.

Returns

System.Threading.Tasks.ValueTask<Azure.Core.AccessToken>

An Azure.Core.AccessToken which can be used to authenticate service client calls, or a default Azure.Core.AccessToken.

Remarks

If the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET are not specified, the default Azure.Core.AccessToken

Exceptions

AuthenticationFailedException

Thrown when the authentication failed.

CredentialUnavailableException

Thrown when the credential is unavailable because the environment is not properly configured.