Source from repo

GitHub Copilot SDK on Azure

Scaffold, build, and deploy GitHub Copilot SDK apps to Azure with optional BYOM model config

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

25.1 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/auth-best-practices.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown129 linesFree

references/auth-best-practices.md

1# Azure Authentication Best Practices
2 
3> Source: [Microsoft — Passwordless connections for Azure services](https://learn.microsoft.com/azure/developer/intro/passwordless-overview) and [Azure Identity client libraries](https://learn.microsoft.com/dotnet/azure/sdk/authentication/).
4 
5## Golden Rule
6 
7Use **managed identities** and **Azure RBAC** in production. Reserve `DefaultAzureCredential` for **local development only**.
8 
9## Authentication by Environment
10 
11| Environment | Recommended Credential | Why |
12|---|---|---|
13| **Production (Azure-hosted)** | `ManagedIdentityCredential` (system- or user-assigned) | No secrets to manage; auto-rotated by Azure |
14| **Production (on-premises)** | `ClientCertificateCredential` or `WorkloadIdentityCredential` | Deterministic; no fallback chain overhead |
15| **CI/CD pipelines** | `AzurePipelinesCredential` / `WorkloadIdentityCredential` | Scoped to pipeline identity |
16| **Local development** | `DefaultAzureCredential` | Chains CLI, PowerShell, and VS Code credentials for convenience |
17 
18## Why Not `DefaultAzureCredential` in Production?
19 
201. **Unpredictable fallback chain** — walks through multiple credential types, adding latency and making failures harder to diagnose.
212. **Broad surface area** — checks environment variables, CLI tokens, and other sources that should not exist in production.
223. **Non-deterministic** — which credential actually authenticates depends on the environment, making behavior inconsistent across deployments.
234. **Performance** — each failed credential attempt adds network round-trips before falling back to the next.
24 
25## Production Patterns
26 
27### .NET
28 
29```csharp
30using Azure.Identity;
31 
32var credential = Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT") == "Development"
33    ? new DefaultAzureCredential()                          // local dev — uses CLI/VS credentials
34    : new ManagedIdentityCredential();                      // production — deterministic, no fallback chain
35// For user-assigned identity: new ManagedIdentityCredential("<client-id>")
36```
37 
38### TypeScript / JavaScript
39 
40```typescript
41import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
42 
43const credential = process.env.NODE_ENV === "development"
44  ? new DefaultAzureCredential()                          // local dev — uses CLI/VS credentials
45  : new ManagedIdentityCredential();                      // production — deterministic, no fallback chain
46// For user-assigned identity: new ManagedIdentityCredential("<client-id>")
47```
48 
49### Python
50 
51```python
52import os
53from azure.identity import DefaultAzureCredential, ManagedIdentityCredential
54 
55credential = (
56    DefaultAzureCredential()                              # local dev — uses CLI/VS credentials
57    if os.getenv("AZURE_FUNCTIONS_ENVIRONMENT") == "Development"
58    else ManagedIdentityCredential()                      # production — deterministic, no fallback chain
59)
60# For user-assigned identity: ManagedIdentityCredential(client_id="<client-id>")
61```
62 
63### Java
64 
65```java
66import com.azure.identity.DefaultAzureCredentialBuilder;
67import com.azure.identity.ManagedIdentityCredentialBuilder;
68 
69var credential = "Development".equals(System.getenv("AZURE_FUNCTIONS_ENVIRONMENT"))
70    ? new DefaultAzureCredentialBuilder().build()          // local dev — uses CLI/VS credentials
71    : new ManagedIdentityCredentialBuilder().build();      // production — deterministic, no fallback chain
72// For user-assigned identity: new ManagedIdentityCredentialBuilder().clientId("<client-id>").build()
73```
74 
75## Local Development Setup
76 
77`DefaultAzureCredential` is ideal for local dev because it automatically picks up credentials from developer tools:
78 
791. **Azure CLI** — `az login`
802. **Azure Developer CLI** — `azd auth login`
813. **Azure PowerShell** — `Connect-AzAccount`
824. **Visual Studio / VS Code** — sign in via Azure extension
83 
84```typescript
85import { DefaultAzureCredential } from "@azure/identity";
86 
87// Local development only — uses CLI/PowerShell/VS Code credentials
88const credential = new DefaultAzureCredential();
89```
90 
91## Environment-Aware Pattern
92 
93Detect the runtime environment and select the appropriate credential. The key principle: use `DefaultAzureCredential` only when running locally, and a specific credential in production.
94 
95> **Tip:** Azure Functions sets `AZURE_FUNCTIONS_ENVIRONMENT` to `"Development"` when running locally. For App Service or containers, use any environment variable you control (e.g. `NODE_ENV`, `ASPNETCORE_ENVIRONMENT`).
96 
97```typescript
98import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
99 
100function getCredential() {
101  if (process.env.NODE_ENV === "development") {
102    return new DefaultAzureCredential();          // picks up az login / VS Code creds
103  }
104  return process.env.AZURE_CLIENT_ID
105    ? new ManagedIdentityCredential(process.env.AZURE_CLIENT_ID)  // user-assigned
106    : new ManagedIdentityCredential();                            // system-assigned
107}
108```
109 
110## Security Checklist
111 
112- [ ] Use managed identity for all Azure-hosted apps
113- [ ] Never hardcode credentials, connection strings, or keys
114- [ ] Apply least-privilege RBAC roles at the narrowest scope
115- [ ] Use `ManagedIdentityCredential` (not `DefaultAzureCredential`) in production
116- [ ] Store any required secrets in Azure Key Vault
117- [ ] Rotate secrets and certificates on a schedule
118- [ ] Enable Microsoft Defender for Cloud on production resources
119 
120## Further Reading
121 
122- [Passwordless connections overview](https://learn.microsoft.com/azure/developer/intro/passwordless-overview)
123- [Managed identities overview](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)
124- [Azure RBAC overview](https://learn.microsoft.com/azure/role-based-access-control/overview)
125- [.NET authentication guide](https://learn.microsoft.com/dotnet/azure/sdk/authentication/)
126- [Python identity library](https://learn.microsoft.com/python/api/overview/azure/identity-readme)
127- [JavaScript identity library](https://learn.microsoft.com/javascript/api/overview/azure/identity-readme)
128- [Java identity library](https://learn.microsoft.com/java/api/overview/azure/identity-readme)
129

Marketplace

Source from repo

GitHub Copilot SDK on Azure

Scaffold, build, and deploy GitHub Copilot SDK apps to Azure with optional BYOM model config

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

25.1 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/auth-best-practices.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown129 linesFree

references/auth-best-practices.md

1# Azure Authentication Best Practices
2 
3> Source: [Microsoft — Passwordless connections for Azure services](https://learn.microsoft.com/azure/developer/intro/passwordless-overview) and [Azure Identity client libraries](https://learn.microsoft.com/dotnet/azure/sdk/authentication/).
4 
5## Golden Rule
6 
7Use **managed identities** and **Azure RBAC** in production. Reserve `DefaultAzureCredential` for **local development only**.
8 
9## Authentication by Environment
10 
11| Environment | Recommended Credential | Why |
12|---|---|---|
13| **Production (Azure-hosted)** | `ManagedIdentityCredential` (system- or user-assigned) | No secrets to manage; auto-rotated by Azure |
14| **Production (on-premises)** | `ClientCertificateCredential` or `WorkloadIdentityCredential` | Deterministic; no fallback chain overhead |
15| **CI/CD pipelines** | `AzurePipelinesCredential` / `WorkloadIdentityCredential` | Scoped to pipeline identity |
16| **Local development** | `DefaultAzureCredential` | Chains CLI, PowerShell, and VS Code credentials for convenience |
17 
18## Why Not `DefaultAzureCredential` in Production?
19 
201. **Unpredictable fallback chain** — walks through multiple credential types, adding latency and making failures harder to diagnose.
212. **Broad surface area** — checks environment variables, CLI tokens, and other sources that should not exist in production.
223. **Non-deterministic** — which credential actually authenticates depends on the environment, making behavior inconsistent across deployments.
234. **Performance** — each failed credential attempt adds network round-trips before falling back to the next.
24 
25## Production Patterns
26 
27### .NET
28 
29```csharp
30using Azure.Identity;
31 
32var credential = Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT") == "Development"
33    ? new DefaultAzureCredential()                          // local dev — uses CLI/VS credentials
34    : new ManagedIdentityCredential();                      // production — deterministic, no fallback chain
35// For user-assigned identity: new ManagedIdentityCredential("<client-id>")
36```
37 
38### TypeScript / JavaScript
39 
40```typescript
41import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
42 
43const credential = process.env.NODE_ENV === "development"
44  ? new DefaultAzureCredential()                          // local dev — uses CLI/VS credentials
45  : new ManagedIdentityCredential();                      // production — deterministic, no fallback chain
46// For user-assigned identity: new ManagedIdentityCredential("<client-id>")
47```
48 
49### Python
50 
51```python
52import os
53from azure.identity import DefaultAzureCredential, ManagedIdentityCredential
54 
55credential = (
56    DefaultAzureCredential()                              # local dev — uses CLI/VS credentials
57    if os.getenv("AZURE_FUNCTIONS_ENVIRONMENT") == "Development"
58    else ManagedIdentityCredential()                      # production — deterministic, no fallback chain
59)
60# For user-assigned identity: ManagedIdentityCredential(client_id="<client-id>")
61```
62 
63### Java
64 
65```java
66import com.azure.identity.DefaultAzureCredentialBuilder;
67import com.azure.identity.ManagedIdentityCredentialBuilder;
68 
69var credential = "Development".equals(System.getenv("AZURE_FUNCTIONS_ENVIRONMENT"))
70    ? new DefaultAzureCredentialBuilder().build()          // local dev — uses CLI/VS credentials
71    : new ManagedIdentityCredentialBuilder().build();      // production — deterministic, no fallback chain
72// For user-assigned identity: new ManagedIdentityCredentialBuilder().clientId("<client-id>").build()
73```
74 
75## Local Development Setup
76 
77`DefaultAzureCredential` is ideal for local dev because it automatically picks up credentials from developer tools:
78 
791. **Azure CLI** — `az login`
802. **Azure Developer CLI** — `azd auth login`
813. **Azure PowerShell** — `Connect-AzAccount`
824. **Visual Studio / VS Code** — sign in via Azure extension
83 
84```typescript
85import { DefaultAzureCredential } from "@azure/identity";
86 
87// Local development only — uses CLI/PowerShell/VS Code credentials
88const credential = new DefaultAzureCredential();
89```
90 
91## Environment-Aware Pattern
92 
93Detect the runtime environment and select the appropriate credential. The key principle: use `DefaultAzureCredential` only when running locally, and a specific credential in production.
94 
95> **Tip:** Azure Functions sets `AZURE_FUNCTIONS_ENVIRONMENT` to `"Development"` when running locally. For App Service or containers, use any environment variable you control (e.g. `NODE_ENV`, `ASPNETCORE_ENVIRONMENT`).
96 
97```typescript
98import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
99 
100function getCredential() {
101  if (process.env.NODE_ENV === "development") {
102    return new DefaultAzureCredential();          // picks up az login / VS Code creds
103  }
104  return process.env.AZURE_CLIENT_ID
105    ? new ManagedIdentityCredential(process.env.AZURE_CLIENT_ID)  // user-assigned
106    : new ManagedIdentityCredential();                            // system-assigned
107}
108```
109 
110## Security Checklist
111 
112- [ ] Use managed identity for all Azure-hosted apps
113- [ ] Never hardcode credentials, connection strings, or keys
114- [ ] Apply least-privilege RBAC roles at the narrowest scope
115- [ ] Use `ManagedIdentityCredential` (not `DefaultAzureCredential`) in production
116- [ ] Store any required secrets in Azure Key Vault
117- [ ] Rotate secrets and certificates on a schedule
118- [ ] Enable Microsoft Defender for Cloud on production resources
119 
120## Further Reading
121 
122- [Passwordless connections overview](https://learn.microsoft.com/azure/developer/intro/passwordless-overview)
123- [Managed identities overview](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)
124- [Azure RBAC overview](https://learn.microsoft.com/azure/role-based-access-control/overview)
125- [.NET authentication guide](https://learn.microsoft.com/dotnet/azure/sdk/authentication/)
126- [Python identity library](https://learn.microsoft.com/python/api/overview/azure/identity-readme)
127- [JavaScript identity library](https://learn.microsoft.com/javascript/api/overview/azure/identity-readme)
128- [Java identity library](https://learn.microsoft.com/java/api/overview/azure/identity-readme)
129

GitHub Copilot SDK on Azure

references/auth-best-practices.md

Preparing the source view

GitHub Copilot SDK on Azure

references/auth-best-practices.md