Skill

azure-identity-py

Authenticates Python Azure SDK clients using DefaultAzureCredential chain, managed identities, service principals, CLI credentials, and token caching.

Python

Azure

authentication

backend

From antigravity-bundle-azure-ai-cloud

Install

Run in your terminal

npx claudepluginhub sickn33/antigravity-awesome-skills --plugin antigravity-bundle-azure-ai-cloud

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

cache-components

Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.

cache-components

138.6k

claude-opus-4-5-migration

2 files

Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.

claude-opus-4-5-migration

83.2k

evaluation-methodology

1 file

Details PluginEval's skill quality evaluation: 3 layers (static, LLM judge), 10 dimensions, rubrics, formulas, anti-patterns, badges. Use to interpret scores, improve triggering, calibrate thresholds.

plugin-eval

32.9k

Stats

Parent Repo Stars30783

Parent Repo Forks5139

Last CommitMar 27, 2026

Actions

View Source View Plugin View on GitHub View README

Azure Identity SDK for Python

Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).

Installation

pip install azure-identity

Environment Variables

# Service Principal (for production/CI)
AZURE_TENANT_ID=<your-tenant-id>
AZURE_CLIENT_ID=<your-client-id>
AZURE_CLIENT_SECRET=<your-client-secret>

# User-assigned Managed Identity (optional)
AZURE_CLIENT_ID=<managed-identity-client-id>

DefaultAzureCredential

The recommended credential for most scenarios. Tries multiple authentication methods in order:

from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient

# Works in local dev AND production without code changes
credential = DefaultAzureCredential()

client = BlobServiceClient(
    account_url="https://<account>.blob.core.windows.net",
    credential=credential
)

Credential Chain Order

Order	Credential	Environment
1	EnvironmentCredential	CI/CD, containers
2	WorkloadIdentityCredential	Kubernetes
3	ManagedIdentityCredential	Azure VMs, App Service, Functions
4	SharedTokenCacheCredential	Windows only
5	VisualStudioCodeCredential	VS Code with Azure extension
6	AzureCliCredential	`az login`
7	AzurePowerShellCredential	`Connect-AzAccount`
8	AzureDeveloperCliCredential	`azd auth login`

Customizing DefaultAzureCredential

# Exclude credentials you don't need
credential = DefaultAzureCredential(
    exclude_environment_credential=True,
    exclude_shared_token_cache_credential=True,
    managed_identity_client_id="<user-assigned-mi-client-id>"  # For user-assigned MI
)

# Enable interactive browser (disabled by default)
credential = DefaultAzureCredential(
    exclude_interactive_browser_credential=False
)

Specific Credential Types

ManagedIdentityCredential

For Azure-hosted resources (VMs, App Service, Functions, AKS):

from azure.identity import ManagedIdentityCredential

# System-assigned managed identity
credential = ManagedIdentityCredential()

# User-assigned managed identity
credential = ManagedIdentityCredential(
    client_id="<user-assigned-mi-client-id>"
)

ClientSecretCredential

For service principal with secret:

from azure.identity import ClientSecretCredential

credential = ClientSecretCredential(
    tenant_id=os.environ["AZURE_TENANT_ID"],
    client_id=os.environ["AZURE_CLIENT_ID"],
    client_secret=os.environ["AZURE_CLIENT_SECRET"]
)

AzureCliCredential

Uses the account from az login:

from azure.identity import AzureCliCredential

credential = AzureCliCredential()

ChainedTokenCredential

Custom credential chain:

from azure.identity import (
    ChainedTokenCredential,
    ManagedIdentityCredential,
    AzureCliCredential
)

# Try managed identity first, fall back to CLI
credential = ChainedTokenCredential(
    ManagedIdentityCredential(client_id="<user-assigned-mi-client-id>"),
    AzureCliCredential()
)

Credential Types Table

Credential	Use Case	Auth Method
`DefaultAzureCredential`	Most scenarios	Auto-detect
`ManagedIdentityCredential`	Azure-hosted apps	Managed Identity
`ClientSecretCredential`	Service principal	Client secret
`ClientCertificateCredential`	Service principal	Certificate
`AzureCliCredential`	Local development	Azure CLI
`AzureDeveloperCliCredential`	Local development	Azure Developer CLI
`InteractiveBrowserCredential`	User sign-in	Browser OAuth
`DeviceCodeCredential`	Headless/SSH	Device code flow

Getting Tokens Directly

from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()

# Get token for a specific scope
token = credential.get_token("https://management.azure.com/.default")
print(f"Token expires: {token.expires_on}")

# For Azure Database for PostgreSQL
token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")

Async Client

from azure.identity.aio import DefaultAzureCredential
from azure.storage.blob.aio import BlobServiceClient

async def main():
    credential = DefaultAzureCredential()
    
    async with BlobServiceClient(
        account_url="https://<account>.blob.core.windows.net",
        credential=credential
    ) as client:
        # ... async operations
        pass
    
    await credential.close()

Best Practices

Use DefaultAzureCredential for code that runs locally and in Azure
Never hardcode credentials — use environment variables or managed identity
Prefer managed identity in production Azure deployments
Use ChainedTokenCredential when you need a custom credential order
Close async credentials explicitly or use context managers
Set AZURE_CLIENT_ID for user-assigned managed identities
Exclude unused credentials to speed up authentication

When to Use

This skill is applicable to execute the workflow or actions described in the overview.