Azure Identity SDK for TypeScript Authenticate to Azure services with various credential types. Installation npm install @azure/identity Environment Variables Service Principal (Secret) AZURE_TENANT_ID = < tenant-id
AZURE_CLIENT_ID
< client-id
AZURE_CLIENT_SECRET
< client-secret
Service Principal (Certificate) AZURE_TENANT_ID = < tenant-id
AZURE_CLIENT_ID
< client-id
AZURE_CLIENT_CERTIFICATE_PATH
/path/to/cert.pem AZURE_CLIENT_CERTIFICATE_PASSWORD = < optional-password
Workload Identity (Kubernetes) AZURE_TENANT_ID = < tenant-id
AZURE_CLIENT_ID
< client-id
AZURE_FEDERATED_TOKEN_FILE
/var/run/secrets/tokens/azure-identity DefaultAzureCredential (Recommended) import { DefaultAzureCredential } from "@azure/identity" ; const credential = new DefaultAzureCredential ( ) ; // Use with any Azure SDK client import { BlobServiceClient } from "@azure/storage-blob" ; const blobClient = new BlobServiceClient ( "https://
.blob.core.windows.net" , credential ) ; Credential Chain Order: EnvironmentCredential WorkloadIdentityCredential ManagedIdentityCredential VisualStudioCodeCredential AzureCliCredential AzurePowerShellCredential AzureDeveloperCliCredential Managed Identity System-Assigned import { ManagedIdentityCredential } from "@azure/identity" ; const credential = new ManagedIdentityCredential ( ) ; User-Assigned (by Client ID) const credential = new ManagedIdentityCredential ( { clientId : " " } ) ; User-Assigned (by Resource ID) const credential = new ManagedIdentityCredential ( { resourceId : "/subscriptions//resourceGroups/ /providers/Microsoft.ManagedIdentity/userAssignedIdentities/ " } ) ; Service Principal Client Secret import { ClientSecretCredential } from "@azure/identity" ; const credential = new ClientSecretCredential ( " " , " " , " " ) ; Client Certificate import { ClientCertificateCredential } from "@azure/identity" ; const credential = new ClientCertificateCredential ( " " , " " , { certificatePath : "/path/to/cert.pem" } ) ; // With password const credentialWithPwd = new ClientCertificateCredential ( " " , " " , { certificatePath : "/path/to/cert.pem" , certificatePassword : " " } ) ; Interactive Authentication Browser-Based Login import { InteractiveBrowserCredential } from "@azure/identity" ; const credential = new InteractiveBrowserCredential ( { clientId : " " , tenantId : " " , loginHint : "user@example.com" } ) ; Device Code Flow import { DeviceCodeCredential } from "@azure/identity" ; const credential = new DeviceCodeCredential ( { clientId : " " , tenantId : " " , userPromptCallback : ( info ) => { console . log ( info . message ) ; // "To sign in, use a web browser to open..." } } ) ; Custom Credential Chain import { ChainedTokenCredential , ManagedIdentityCredential , AzureCliCredential } from "@azure/identity" ; // Try managed identity first, fall back to CLI const credential = new ChainedTokenCredential ( new ManagedIdentityCredential ( ) , new AzureCliCredential ( ) ) ; Developer Credentials Azure CLI import { AzureCliCredential } from "@azure/identity" ; const credential = new AzureCliCredential ( ) ; // Uses: az login Azure Developer CLI import { AzureDeveloperCliCredential } from "@azure/identity" ; const credential = new AzureDeveloperCliCredential ( ) ; // Uses: azd auth login Azure PowerShell import { AzurePowerShellCredential } from "@azure/identity" ; const credential = new AzurePowerShellCredential ( ) ; // Uses: Connect-AzAccount Sovereign Clouds import { ClientSecretCredential , AzureAuthorityHosts } from "@azure/identity" ; // Azure Government const credential = new ClientSecretCredential ( " " , " " , " " , { authorityHost : AzureAuthorityHosts . AzureGovernment } ) ; // Azure China const credentialChina = new ClientSecretCredential ( " " , " " , " " , { authorityHost : AzureAuthorityHosts . AzureChina } ) ; Bearer Token Provider import { DefaultAzureCredential , getBearerTokenProvider } from "@azure/identity" ; const credential = new DefaultAzureCredential ( ) ; // Create a function that returns tokens const getAccessToken = getBearerTokenProvider ( credential , "https://cognitiveservices.azure.com/.default" ) ; // Use with APIs that need bearer tokens const token = await getAccessToken ( ) ; Key Types import type { TokenCredential , AccessToken , GetTokenOptions } from "@azure/core-auth" ; import { DefaultAzureCredential , DefaultAzureCredentialOptions , ManagedIdentityCredential , ClientSecretCredential , ClientCertificateCredential , InteractiveBrowserCredential , ChainedTokenCredential , AzureCliCredential , AzurePowerShellCredential , AzureDeveloperCliCredential , DeviceCodeCredential , AzureAuthorityHosts } from "@azure/identity" ; Custom Credential Implementation import type { TokenCredential , AccessToken , GetTokenOptions } from "@azure/core-auth" ; class CustomCredential implements TokenCredential { async getToken ( scopes : string | string [ ] , options ? : GetTokenOptions ) : Promise < AccessToken | null { // Custom token acquisition logic return { token : "
" , expiresOnTimestamp : Date . now ( ) + 3600000 } ; } } Debugging import { setLogLevel , AzureLogger } from "@azure/logger" ; setLogLevel ( "verbose" ) ; // Custom log handler AzureLogger . log = ( ... args ) => { console . log ( "[Azure]" , ... args ) ; } ; Best Practices Use DefaultAzureCredential - Works in development (CLI) and production (managed identity) Never hardcode credentials - Use environment variables or managed identity Prefer managed identity - No secrets to manage in production Scope credentials appropriately - Use user-assigned identity for multi-tenant scenarios Handle token refresh - Azure SDK handles this automatically Use ChainedTokenCredential - For custom fallback scenarios When to Use This skill is applicable to execute the workflow or actions described in the overview.