Source from repo
Microsoft Foundry Skill

Deploy, evaluate, and manage AI agents end-to-end on Microsoft Azure AI Foundry
microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
546.6 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/auth-best-practices.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown131 linesFree
references/auth-best-practices.md
1# Azure Authentication Best Practices
2 
3> Source: [Microsoft — Passwordless connections for Azure services](https://learn.microsoft.com/azure/developer/intro/passwordless-overview) and [Azure Identity client libraries](https://learn.microsoft.com/dotnet/azure/sdk/authentication/).
4 
5**Table of Contents:** [Golden Rule](#golden-rule) · [Authentication by Environment](#authentication-by-environment) · [Why Not DefaultAzureCredential in Production?](#why-not-defaultazurecredential-in-production) · [Production Patterns](#production-patterns) · [Local Development Setup](#local-development-setup) · [Environment-Aware Pattern](#environment-aware-pattern) · [Security Checklist](#security-checklist) · [Further Reading](#further-reading)
6 
7## Golden Rule
8 
9Use **managed identities** and **Azure RBAC** in production. Reserve `DefaultAzureCredential` for **local development only**.
10 
11## Authentication by Environment
12 
13| Environment | Recommended Credential | Why |
14|---|---|---|
15| **Production (Azure-hosted)** | `ManagedIdentityCredential` (system- or user-assigned) | No secrets to manage; auto-rotated by Azure |
16| **Production (on-premises)** | `ClientCertificateCredential` or `WorkloadIdentityCredential` | Deterministic; no fallback chain overhead |
17| **CI/CD pipelines** | `AzurePipelinesCredential` / `WorkloadIdentityCredential` | Scoped to pipeline identity |
18| **Local development** | `DefaultAzureCredential` | Chains CLI, PowerShell, and VS Code credentials for convenience |
19 
20## Why Not `DefaultAzureCredential` in Production?
21 
221. **Unpredictable fallback chain** — walks through multiple credential types, adding latency and making failures harder to diagnose.
232. **Broad surface area** — checks environment variables, CLI tokens, and other sources that should not exist in production.
243. **Non-deterministic** — which credential actually authenticates depends on the environment, making behavior inconsistent across deployments.
254. **Performance** — each failed credential attempt adds network round-trips before falling back to the next.
26 
27## Production Patterns
28 
29### .NET
30 
31```csharp
32using Azure.Identity;
33 
34var credential = Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT") == "Development"
35    ? new DefaultAzureCredential()                          // local dev — uses CLI/VS credentials
36    : new ManagedIdentityCredential();                      // production — deterministic, no fallback chain
37// For user-assigned identity: new ManagedIdentityCredential("<client-id>")
38```
39 
40### TypeScript / JavaScript
41 
42```typescript
43import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
44 
45const credential = process.env.NODE_ENV === "development"
46  ? new DefaultAzureCredential()                          // local dev — uses CLI/VS credentials
47  : new ManagedIdentityCredential();                      // production — deterministic, no fallback chain
48// For user-assigned identity: new ManagedIdentityCredential("<client-id>")
49```
50 
51### Python
52 
53```python
54import os
55from azure.identity import DefaultAzureCredential, ManagedIdentityCredential
56 
57credential = (
58    DefaultAzureCredential()                              # local dev — uses CLI/VS credentials
59    if os.getenv("AZURE_FUNCTIONS_ENVIRONMENT") == "Development"
60    else ManagedIdentityCredential()                      # production — deterministic, no fallback chain
61)
62# For user-assigned identity: ManagedIdentityCredential(client_id="<client-id>")
63```
64 
65### Java
66 
67```java
68import com.azure.identity.DefaultAzureCredentialBuilder;
69import com.azure.identity.ManagedIdentityCredentialBuilder;
70 
71var credential = "Development".equals(System.getenv("AZURE_FUNCTIONS_ENVIRONMENT"))
72    ? new DefaultAzureCredentialBuilder().build()          // local dev — uses CLI/VS credentials
73    : new ManagedIdentityCredentialBuilder().build();      // production — deterministic, no fallback chain
74// For user-assigned identity: new ManagedIdentityCredentialBuilder().clientId("<client-id>").build()
75```
76 
77## Local Development Setup
78 
79`DefaultAzureCredential` is ideal for local dev because it automatically picks up credentials from developer tools:
80 
811. **Azure CLI** — `az login`
822. **Azure Developer CLI** — `azd auth login`
833. **Azure PowerShell** — `Connect-AzAccount`
844. **Visual Studio / VS Code** — sign in via Azure extension
85 
86```typescript
87import { DefaultAzureCredential } from "@azure/identity";
88 
89// Local development only — uses CLI/PowerShell/VS Code credentials
90const credential = new DefaultAzureCredential();
91```
92 
93## Environment-Aware Pattern
94 
95Detect the runtime environment and select the appropriate credential. The key principle: use `DefaultAzureCredential` only when running locally, and a specific credential in production.
96 
97> **Tip:** Azure Functions sets `AZURE_FUNCTIONS_ENVIRONMENT` to `"Development"` when running locally. For App Service or containers, use any environment variable you control (e.g. `NODE_ENV`, `ASPNETCORE_ENVIRONMENT`).
98 
99```typescript
100import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
101 
102function getCredential() {
103  if (process.env.NODE_ENV === "development") {
104    return new DefaultAzureCredential();          // picks up az login / VS Code creds
105  }
106  return process.env.AZURE_CLIENT_ID
107    ? new ManagedIdentityCredential(process.env.AZURE_CLIENT_ID)  // user-assigned
108    : new ManagedIdentityCredential();                            // system-assigned
109}
110```
111 
112## Security Checklist
113 
114- [ ] Use managed identity for all Azure-hosted apps
115- [ ] Never hardcode credentials, connection strings, or keys
116- [ ] Apply least-privilege RBAC roles at the narrowest scope
117- [ ] Use `ManagedIdentityCredential` (not `DefaultAzureCredential`) in production
118- [ ] Store any required secrets in Azure Key Vault
119- [ ] Rotate secrets and certificates on a schedule
120- [ ] Enable Microsoft Defender for Cloud on production resources
121 
122## Further Reading
123 
124- [Passwordless connections overview](https://learn.microsoft.com/azure/developer/intro/passwordless-overview)
125- [Managed identities overview](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)
126- [Azure RBAC overview](https://learn.microsoft.com/azure/role-based-access-control/overview)
127- [.NET authentication guide](https://learn.microsoft.com/dotnet/azure/sdk/authentication/)
128- [Python identity library](https://learn.microsoft.com/python/api/overview/azure/identity-readme)
129- [JavaScript identity library](https://learn.microsoft.com/javascript/api/overview/azure/identity-readme)
130- [Java identity library](https://learn.microsoft.com/java/api/overview/azure/identity-readme)
131
Preparing the source view

Microsoft Foundry Skill

references/auth-best-practices.md
