How to use DefaultAzureCredential across multiple tenants
If you are using the DefaultAzureCredential class from the Azure Identity SDK while your user account is associated with multiple tenants, you may find yourself frequently running into API authentication errors (such as HTTP 401/Unauthorized). This post is for you! These are your two options for successful authentication from a non-default tenant: Setup your environment precisely to force DefaultAzureCredential to use the desired tenant Use a specific credential class and explicitly pass in the desired tenant ID Option 1: Get DefaultAzureCredential working The DefaultAzureCredential class is a credential chain, which means that it tries a sequence of credential classes until it finds one that can authenticate successfully. The current sequence is: EnvironmentCredential WorkloadIdentityCredential ManagedIdentityCredential SharedTokenCacheCredential AzureCliCredential AzurePowerShellCredential AzureDeveloperCliCredential InteractiveBrowserCredential For example, on my personal machine, only two of those credentials can retrieve tokens: AzureCliCredential : from logging in with Azure CLI ( az login ) AzureDeveloperCliCredential : from logging in with Azure Developer CLI ( azd auth login ) Many developers are logged in with those two credentials, so it's crucial to understand how this chained credential works. The AzureCliCredential is earlier in the chain, so if you are logged in with that, you must have the desired tenant set as the "active tenant". According to Azure CLI documentation, there are two ways to set the active tenant: az account set --subscription SUBSCRIPTION-ID where the subscription is from the desired tenant az login --tenant TENANT-ID , with no subsequent az login commands after Whatever option you choose, you can confirm that your desired tenant is currently the default by running az account show and verifying the tenantId in the account details shown. If you are only logged in with the azd CLI and not the Azure CLI, you have a problem: the azd cli does not currently have a way to set the active tenant. If that credential is called with no additional information, azd assumes your home tenant, which may not be desired. The azd credential does check for a system variable called AZURE_TENANT_ID , however, so you can try setting that in your environment before running code that uses DefaultAzureCredential . That should work as long as the DefaultAzureCredential code is truly running in the same environment where AZURE_TENANT_ID has been set. Option 2: Use specific credentials For this second option, we will abandon DefaultAzureCredential entirely, and replace it with specific credential classes. This approach requires a code change, but once you've gone through the effort to set it up, it's generally a more predictable experience. Use CLI credential for local dev Several of the credential classes allow you to explicitly pass in a tenant ID, including both the AzureCliCredential and AzureDeveloperCliCredential . If you know that you’re always going to be logging in with a specific CLI, you can change your code to that credential: For example, in the Python SDK: AzureDeveloperCliCredential(tenant_id=os.environ["AZURE_TENANT_ID"]) For more flexibility, you can use conditionals to only pass in a tenant ID if one is set in the environment: if AZURE_TENANT_ID := os.environ("AZURE_TENANT_ID"): cred = AzureDeveloperCliCredential(tenant_id=AZURE_TENANT_ID) else: cred = AzureDeveloperCliCredential() 💁🏼♀️ Tip: As a best practice, I always like to add logging statements that note exactly what credential I'm calling and whether I'm passing in a tenant ID, to help me spot misconfigurations from the logs. Use managed identity credential in production You must be careful when replacing DefaultAzureCredential if our code will also be deployed to a production host. In that case, your code was previously relying on DefaultAzureCredential using the ManagedIdentityCredential in the chain, and you now need to call that credential class directly. You will also need to pass in the managed identity client ID, if your host is using user-assigned identity instead of system-assigned identity. For example, using managed identity in the Python SDK with user-assigned identity: ManagedIdentityCredential(client_id=os.environ["AZURE_CLIENT_ID"]) Here’s a full credential setup for an app that works locally with azd and works in production with managed identity (either system or user-assigned): if RUNNING_ON_AZURE: if AZURE_CLIENT_ID := os.getenv("AZURE_CLIENT_ID"): cred = ManagedIdentityCredential(client_id=AZURE_CLIENT_ID) else: cred = ManagedIdentityCredential() elif AZURE_TENANT_ID := os.getenv("AZURE_TENANT_ID"): cred = AzureDeveloperCliCredential(tenant_id=AZURE_TENANT_ID) else: cred = AzureDeveloperCliCredential() For a full walkthrough of an end-to-end template that uses keyless auth in multiple languages, check out my colleague's tutorials on using keyless auth in AI apps.Unlock the Future of Secure Authentication: Moving to Keyless Authentication with Managed Identity
Why Managed Identity? Traditional authentication methods often rely on keys, secrets, and passwords that can be easily compromised. Managed identity, on the other hand, provides a secure and seamless way to authenticate without the need for managing credentials. By leveraging managed identity, you can: Reduce the Risk of Compromise: As most security breaches start from identity-related issues, moving to a keyless authentication system significantly reduces the chances of such compromises. Simplify Credential Management: Managed identity eliminates the need for managing keys and secrets, making the authentication process more straightforward and less error-prone. Enhance Security: With managed identity, your applications are granted access to resources securely, without the risk of exposing sensitive credentials. Getting Started with Managed Identity To help you get started with managed identity, Microsoft offers comprehensive training modules for different programming languages. These modules cover the basics of using managed identity to authenticate to Azure OpenAI, providing you with the knowledge and skills needed to implement secure authentication in your applications. Available Microsoft Learn Training Modules: Introduction to using Managed Identity to authenticate to Azure OpenAI with .NET - Training | Microsoft Learn Introduction to Azure OpenAI Managed Identity Authentication with Java - Training | Microsoft Learn Introduction to Azure OpenAI Managed Identity Authentication with Python - Training | Microsoft Learn Introduction to Azure OpenAI Managed Identity Authentication with JavaScript - Training | Microsoft Learn Why Should Students Learn Managed Identity? As a student, learning about managed identity and keyless authentication is not just about enhancing your technical skills; it's about preparing for the future. Here are a few reasons why you should dive into managed identity: Stay Ahead in the Job Market: With cybersecurity being a top priority for organizations, having expertise in secure authentication methods like managed identity will make you a valuable asset to potential employers. Build Secure Applications: By implementing managed identity, you can build applications that are more secure, reliable, and less susceptible to breaches. Understand Modern Security Practices: Gaining knowledge about managed identity and keyless authentication will give you a deeper understanding of modern security practices and how to protect applications in today's digital landscape. Conclusion In conclusion, moving to keyless authentication through managed identity is a game-changer for securing applications. As students and future developers, embracing this technology will not only enhance your skills but also contribute to building a safer and more secure digital world. So, take the first step today by exploring the training modules and mastering the art of managed identity!Seamless Identity Integration: Azure API Management with Azure AD B2C (AADB2C)
Azure API Management (APIM) is a robust platform for managing and securing your APIs. In this blog post, we will guide you through integrating Azure API Management with Azure Active Directory B2C (AADB2C) for identity management. This integration enhances the security of your APIs by requiring user authentication before access is granted. We will break down the process into three key steps: setting up the Developer Portal to use AADB2C, configuring APIM to use OAuth 2.0 for authorization, and implementing token validation to ensure secure access.How to integrate Microsoft User Authentication using Microsoft Entra ID: A Step-by-Step Guide to Use
Microsoft Entra ID, also known as Azure AD (Active Directory), offers numerous advantages. Whether you're prioritizing security or seeking a well-organized and automated User Management system, this tool is your go-to for building a secure authentication system, be it for a web app, mobile app, or any other application.Revolutionize Your Student Project App Authentication with a PowerApps Login App Sample
Meet Seth Addo, a Gold Microsoft Learn Student Ambassador and Computer Science student at the University of Cape Coast, Ghana. Seth has developed a fantastic PowerApps app sample for performing basic authentication in a Power Platform application. In this app, users can enter their login credentials, which are compared with a table containing usernames and passwords. If the entered credentials match, users are granted access to a protected area of the application. This approach can be extended with additional functionality like password reset and multi-factor authentication to enhance application security. Try the PowerApps Login app today for a simple and secure way to log into your applications.
