Source from repo
Azure Cost Optimization Skill

Analyze and reduce Azure cloud costs by right-sizing resources, reservations, and spending policies
microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
89.7 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
cost-optimization/auth-best-practices.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown129 linesFree
cost-optimization/auth-best-practices.md
1# Azure Authentication Best Practices
2 
3> Source: [Microsoft — Passwordless connections for Azure services](https://learn.microsoft.com/azure/developer/intro/passwordless-overview) and [Azure Identity client libraries](https://learn.microsoft.com/dotnet/azure/sdk/authentication/).
4 
5## Golden Rule
6 
7Use **managed identities** and **Azure RBAC** in production. Reserve `DefaultAzureCredential` for **local development only**.
8 
9## Authentication by Environment
10 
11| Environment | Recommended Credential | Why |
12|---|---|---|
13| **Production (Azure-hosted)** | `ManagedIdentityCredential` (system- or user-assigned) | No secrets to manage; auto-rotated by Azure |
14| **Production (on-premises)** | `ClientCertificateCredential` or `WorkloadIdentityCredential` | Deterministic; no fallback chain overhead |
15| **CI/CD pipelines** | `AzurePipelinesCredential` / `WorkloadIdentityCredential` | Scoped to pipeline identity |
16| **Local development** | `DefaultAzureCredential` | Chains CLI, PowerShell, and VS Code credentials for convenience |
17 
18## Why Not `DefaultAzureCredential` in Production?
19 
201. **Unpredictable fallback chain** — walks through multiple credential types, adding latency and making failures harder to diagnose.
212. **Broad surface area** — checks environment variables, CLI tokens, and other sources that should not exist in production.
223. **Non-deterministic** — which credential actually authenticates depends on the environment, making behavior inconsistent across deployments.
234. **Performance** — each failed credential attempt adds network round-trips before falling back to the next.
24 
25## Production Patterns
26 
27### .NET
28 
29```csharp
30using Azure.Identity;
31 
32var credential = Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT") == "Development"
33    ? new DefaultAzureCredential()                          // local dev — uses CLI/VS credentials
34    : new ManagedIdentityCredential();                      // production — deterministic, no fallback chain
35// For user-assigned identity: new ManagedIdentityCredential("<client-id>")
36```
37 
38### TypeScript / JavaScript
39 
40```typescript
41import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
42 
43const credential = process.env.NODE_ENV === "development"
44  ? new DefaultAzureCredential()                          // local dev — uses CLI/VS credentials
45  : new ManagedIdentityCredential();                      // production — deterministic, no fallback chain
46// For user-assigned identity: new ManagedIdentityCredential("<client-id>")
47```
48 
49### Python
50 
51```python
52import os
53from azure.identity import DefaultAzureCredential, ManagedIdentityCredential
54 
55credential = (
56    DefaultAzureCredential()                              # local dev — uses CLI/VS credentials
57    if os.getenv("AZURE_FUNCTIONS_ENVIRONMENT") == "Development"
58    else ManagedIdentityCredential()                      # production — deterministic, no fallback chain
59)
60# For user-assigned identity: ManagedIdentityCredential(client_id="<client-id>")
61```
62 
63### Java
64 
65```java
66import com.azure.identity.DefaultAzureCredentialBuilder;
67import com.azure.identity.ManagedIdentityCredentialBuilder;
68 
69var credential = "Development".equals(System.getenv("AZURE_FUNCTIONS_ENVIRONMENT"))
70    ? new DefaultAzureCredentialBuilder().build()          // local dev — uses CLI/VS credentials
71    : new ManagedIdentityCredentialBuilder().build();      // production — deterministic, no fallback chain
72// For user-assigned identity: new ManagedIdentityCredentialBuilder().clientId("<client-id>").build()
73```
74 
75## Local Development Setup
76 
77`DefaultAzureCredential` is ideal for local dev because it automatically picks up credentials from developer tools:
78 
791. **Azure CLI** — `az login`
802. **Azure Developer CLI** — `azd auth login`
813. **Azure PowerShell** — `Connect-AzAccount`
824. **Visual Studio / VS Code** — sign in via Azure extension
83 
84```typescript
85import { DefaultAzureCredential } from "@azure/identity";
86 
87// Local development only — uses CLI/PowerShell/VS Code credentials
88const credential = new DefaultAzureCredential();
89```
90 
91## Environment-Aware Pattern
92 
93Detect the runtime environment and select the appropriate credential. The key principle: use `DefaultAzureCredential` only when running locally, and a specific credential in production.
94 
95> **Tip:** Azure Functions sets `AZURE_FUNCTIONS_ENVIRONMENT` to `"Development"` when running locally. For App Service or containers, use any environment variable you control (e.g. `NODE_ENV`, `ASPNETCORE_ENVIRONMENT`).
96 
97```typescript
98import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
99 
100function getCredential() {
101  if (process.env.NODE_ENV === "development") {
102    return new DefaultAzureCredential();          // picks up az login / VS Code creds
103  }
104  return process.env.AZURE_CLIENT_ID
105    ? new ManagedIdentityCredential(process.env.AZURE_CLIENT_ID)  // user-assigned
106    : new ManagedIdentityCredential();                            // system-assigned
107}
108```
109 
110## Security Checklist
111 
112- [ ] Use managed identity for all Azure-hosted apps
113- [ ] Never hardcode credentials, connection strings, or keys
114- [ ] Apply least-privilege RBAC roles at the narrowest scope
115- [ ] Use `ManagedIdentityCredential` (not `DefaultAzureCredential`) in production
116- [ ] Store any required secrets in Azure Key Vault
117- [ ] Rotate secrets and certificates on a schedule
118- [ ] Enable Microsoft Defender for Cloud on production resources
119 
120## Further Reading
121 
122- [Passwordless connections overview](https://learn.microsoft.com/azure/developer/intro/passwordless-overview)
123- [Managed identities overview](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)
124- [Azure RBAC overview](https://learn.microsoft.com/azure/role-based-access-control/overview)
125- [.NET authentication guide](https://learn.microsoft.com/dotnet/azure/sdk/authentication/)
126- [Python identity library](https://learn.microsoft.com/python/api/overview/azure/identity-readme)
127- [JavaScript identity library](https://learn.microsoft.com/javascript/api/overview/azure/identity-readme)
128- [Java identity library](https://learn.microsoft.com/java/api/overview/azure/identity-readme)
129
Preparing the source view

Azure Cost Optimization Skill

cost-optimization/auth-best-practices.md
