Source from repo
Microsoft Foundry Skill

Build and deploy AI applications on Azure AI Foundry using Microsoft's model catalog and AI services
microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
546.7 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/auth-best-practices.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown131 linesFree
references/auth-best-practices.md
1# Azure Authentication Best Practices
2 
3> Source: [Microsoft — Passwordless connections for Azure services](https://learn.microsoft.com/azure/developer/intro/passwordless-overview) and [Azure Identity client libraries](https://learn.microsoft.com/dotnet/azure/sdk/authentication/).
4 
5**Table of Contents:** [Golden Rule](#golden-rule) · [Authentication by Environment](#authentication-by-environment) · [Why Not DefaultAzureCredential in Production?](#why-not-defaultazurecredential-in-production) · [Production Patterns](#production-patterns) · [Local Development Setup](#local-development-setup) · [Environment-Aware Pattern](#environment-aware-pattern) · [Security Checklist](#security-checklist) · [Further Reading](#further-reading)
6 
7## Golden Rule
8 
9Use **managed identities** and **Azure RBAC** in production. Reserve `DefaultAzureCredential` for **local development only**.
10 
11## Authentication by Environment
12 
13| Environment | Recommended Credential | Why |
14|---|---|---|
15| **Production (Azure-hosted)** | `ManagedIdentityCredential` (system- or user-assigned) | No secrets to manage; auto-rotated by Azure |
16| **Production (on-premises)** | `ClientCertificateCredential` or `WorkloadIdentityCredential` | Deterministic; no fallback chain overhead |
17| **CI/CD pipelines** | `AzurePipelinesCredential` / `WorkloadIdentityCredential` | Scoped to pipeline identity |
18| **Local development** | `DefaultAzureCredential` | Chains CLI, PowerShell, and VS Code credentials for convenience |
19 
20## Why Not `DefaultAzureCredential` in Production?
21 
221. **Unpredictable fallback chain** — walks through multiple credential types, adding latency and making failures harder to diagnose.
232. **Broad surface area** — checks environment variables, CLI tokens, and other sources that should not exist in production.
243. **Non-deterministic** — which credential actually authenticates depends on the environment, making behavior inconsistent across deployments.
254. **Performance** — each failed credential attempt adds network round-trips before falling back to the next.
26 
27## Production Patterns
28 
29### .NET
30 
31```csharp
32using Azure.Identity;
33 
34var credential = Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT") == "Development"
35    ? new DefaultAzureCredential()                          // local dev — uses CLI/VS credentials
36    : new ManagedIdentityCredential();                      // production — deterministic, no fallback chain
37// For user-assigned identity: new ManagedIdentityCredential("<client-id>")
38```
39 
40### TypeScript / JavaScript
41 
42```typescript
43import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
44 
45const credential = process.env.NODE_ENV === "development"
46  ? new DefaultAzureCredential()                          // local dev — uses CLI/VS credentials
47  : new ManagedIdentityCredential();                      // production — deterministic, no fallback chain
48// For user-assigned identity: new ManagedIdentityCredential("<client-id>")
49```
50 
51### Python
52 
53```python
54import os
55from azure.identity import DefaultAzureCredential, ManagedIdentityCredential
56 
57credential = (
58    DefaultAzureCredential()                              # local dev — uses CLI/VS credentials
59    if os.getenv("AZURE_FUNCTIONS_ENVIRONMENT") == "Development"
60    else ManagedIdentityCredential()                      # production — deterministic, no fallback chain
61)
62# For user-assigned identity: ManagedIdentityCredential(client_id="<client-id>")
63```
64 
65### Java
66 
67```java
68import com.azure.identity.DefaultAzureCredentialBuilder;
69import com.azure.identity.ManagedIdentityCredentialBuilder;
70 
71var credential = "Development".equals(System.getenv("AZURE_FUNCTIONS_ENVIRONMENT"))
72    ? new DefaultAzureCredentialBuilder().build()          // local dev — uses CLI/VS credentials
73    : new ManagedIdentityCredentialBuilder().build();      // production — deterministic, no fallback chain
74// For user-assigned identity: new ManagedIdentityCredentialBuilder().clientId("<client-id>").build()
75```
76 
77## Local Development Setup
78 
79`DefaultAzureCredential` is ideal for local dev because it automatically picks up credentials from developer tools:
80 
811. **Azure CLI** — `az login`
822. **Azure Developer CLI** — `azd auth login`
833. **Azure PowerShell** — `Connect-AzAccount`
844. **Visual Studio / VS Code** — sign in via Azure extension
85 
86```typescript
87import { DefaultAzureCredential } from "@azure/identity";
88 
89// Local development only — uses CLI/PowerShell/VS Code credentials
90const credential = new DefaultAzureCredential();
91```
92 
93## Environment-Aware Pattern
94 
95Detect the runtime environment and select the appropriate credential. The key principle: use `DefaultAzureCredential` only when running locally, and a specific credential in production.
96 
97> **Tip:** Azure Functions sets `AZURE_FUNCTIONS_ENVIRONMENT` to `"Development"` when running locally. For App Service or containers, use any environment variable you control (e.g. `NODE_ENV`, `ASPNETCORE_ENVIRONMENT`).
98 
99```typescript
100import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
101 
102function getCredential() {
103  if (process.env.NODE_ENV === "development") {
104    return new DefaultAzureCredential();          // picks up az login / VS Code creds
105  }
106  return process.env.AZURE_CLIENT_ID
107    ? new ManagedIdentityCredential(process.env.AZURE_CLIENT_ID)  // user-assigned
108    : new ManagedIdentityCredential();                            // system-assigned
109}
110```
111 
112## Security Checklist
113 
114- [ ] Use managed identity for all Azure-hosted apps
115- [ ] Never hardcode credentials, connection strings, or keys
116- [ ] Apply least-privilege RBAC roles at the narrowest scope
117- [ ] Use `ManagedIdentityCredential` (not `DefaultAzureCredential`) in production
118- [ ] Store any required secrets in Azure Key Vault
119- [ ] Rotate secrets and certificates on a schedule
120- [ ] Enable Microsoft Defender for Cloud on production resources
121 
122## Further Reading
123 
124- [Passwordless connections overview](https://learn.microsoft.com/azure/developer/intro/passwordless-overview)
125- [Managed identities overview](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)
126- [Azure RBAC overview](https://learn.microsoft.com/azure/role-based-access-control/overview)
127- [.NET authentication guide](https://learn.microsoft.com/dotnet/azure/sdk/authentication/)
128- [Python identity library](https://learn.microsoft.com/python/api/overview/azure/identity-readme)
129- [JavaScript identity library](https://learn.microsoft.com/javascript/api/overview/azure/identity-readme)
130- [Java identity library](https://learn.microsoft.com/java/api/overview/azure/identity-readme)
131
Preparing the source view

Microsoft Foundry Skill

references/auth-best-practices.md
