EnvironmentCredential Class
A credential configured by environment variables.
This credential is capable of authenticating as a service principal using a client secret or a certificate, or as a user with a username and password. Configuration is attempted in this order, using these environment variables:
Service principal with secret:
AZURE_TENANT_ID: ID of the service principal's tenant. Also called its 'directory' ID.
AZURE_CLIENT_ID: the service principal's client ID
AZURE_CLIENT_SECRET: one of the service principal's client secrets
AZURE_AUTHORITY_HOST: authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud, which is the default when no value is given.
Service principal with certificate:
AZURE_TENANT_ID: ID of the service principal's tenant. Also called its 'directory' ID.
AZURE_CLIENT_ID: the service principal's client ID
AZURE_CLIENT_CERTIFICATE_PATH: path to a PEM or PKCS12 certificate file including the private key.
AZURE_CLIENT_CERTIFICATE_PASSWORD: (optional) password of the certificate file, if any.
AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: (optional) If True, the credential will send the public certificate chain in the x5c header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication. Defaults to False.
AZURE_AUTHORITY_HOST: authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud, which is the default when no value is given.
User with username and password: Deprecated: Username and password authentication doesn't support multifactor authentication (MFA). For more details on Microsoft Entra MFA enforcement, see https://aka.ms/azsdk/identity/mfa.
AZURE_CLIENT_ID: the application's client ID
AZURE_USERNAME: a username (usually an email address)
AZURE_PASSWORD: that user's password
AZURE_TENANT_ID: (optional) ID of the service principal's tenant. Also called its 'directory' ID. If not provided, defaults to the 'organizations' tenant, which supports only Microsoft Entra work or school accounts.
AZURE_AUTHORITY_HOST: authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud, which is the default when no value is given.
Constructor
EnvironmentCredential(**kwargs: Any)Examples
Create an EnvironmentCredential.
from azure.identity import EnvironmentCredential
credential = EnvironmentCredential()
Methods
| close |
Close the credential's transport session. |
| get_token |
Request an access token for scopes. This method is called automatically by Azure SDK clients. |
| get_token_info |
Request an access token for scopes. This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. |
close
Close the credential's transport session.
close() -> Noneget_token
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, **kwargs: Any) -> AccessTokenParameters
| Name | Description |
|---|---|
|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
claims
|
additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure. |
|
tenant_id
|
optional tenant to include in the token request. |
Returns
| Type | Description |
|---|---|
|
An access token with the desired scopes. |
Exceptions
| Type | Description |
|---|---|
|
environment variable configuration is incomplete |
get_token_info
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
get_token_info(*scopes: str, options: TokenRequestOptions | None = None) -> AccessTokenInfoParameters
| Name | Description |
|---|---|
|
scopes
Required
|
desired scope for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
options
|
A dictionary of options for the token request. Unknown options will be ignored. Optional. |
Returns
| Type | Description |
|---|---|
|
An AccessTokenInfo instance containing information about the token. |
Exceptions
| Type | Description |
|---|---|
|
environment variable configuration is incomplete. |
Azure SDK for Python