azure-identity-java
Authenticate Java applications with Azure services using Microsoft Entra ID (Azure AD).
38 stars
Best use case
azure-identity-java is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Authenticate Java applications with Azure services using Microsoft Entra ID (Azure AD).
Teams using azure-identity-java should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
$curl -o ~/.claude/skills/azure-identity-java/SKILL.md --create-dirs "https://raw.githubusercontent.com/lingxling/awesome-skills-cn/main/antigravity-awesome-skills/plugins/antigravity-awesome-skills-claude/skills/azure-identity-java/SKILL.md"
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/azure-identity-java/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How azure-identity-java Compares
| Feature / Agent | azure-identity-java | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Authenticate Java applications with Azure services using Microsoft Entra ID (Azure AD).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Azure Identity (Java)
Authenticate Java applications with Azure services using Microsoft Entra ID (Azure AD).
## Installation
```xml
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.15.0</version>
</dependency>
```
## Key Concepts
| Credential | Use Case |
|------------|----------|
| `DefaultAzureCredential` | **Recommended** - Works in dev and production |
| `ManagedIdentityCredential` | Azure-hosted apps (App Service, Functions, VMs) |
| `EnvironmentCredential` | CI/CD pipelines with env vars |
| `ClientSecretCredential` | Service principals with secret |
| `ClientCertificateCredential` | Service principals with certificate |
| `AzureCliCredential` | Local dev using `az login` |
| `InteractiveBrowserCredential` | Interactive login flow |
| `DeviceCodeCredential` | Headless device authentication |
## DefaultAzureCredential (Recommended)
The `DefaultAzureCredential` tries multiple authentication methods in order:
1. Environment variables
2. Workload Identity
3. Managed Identity
4. Azure CLI
5. Azure PowerShell
6. Azure Developer CLI
```java
import com.azure.identity.DefaultAzureCredential;
import com.azure.identity.DefaultAzureCredentialBuilder;
// Simple usage
DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();
// Use with any Azure client
BlobServiceClient blobClient = new BlobServiceClientBuilder()
.endpoint("https://<storage-account>.blob.core.windows.net")
.credential(credential)
.buildClient();
KeyClient keyClient = new KeyClientBuilder()
.vaultUrl("https://<vault-name>.vault.azure.net")
.credential(credential)
.buildClient();
```
### Configure DefaultAzureCredential
```java
DefaultAzureCredential credential = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("<user-assigned-identity-client-id>") // For user-assigned MI
.tenantId("<tenant-id>") // Limit to specific tenant
.excludeEnvironmentCredential() // Skip env vars
.excludeAzureCliCredential() // Skip Azure CLI
.build();
```
## Managed Identity
For Azure-hosted applications (App Service, Functions, AKS, VMs).
```java
import com.azure.identity.ManagedIdentityCredential;
import com.azure.identity.ManagedIdentityCredentialBuilder;
// System-assigned managed identity
ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()
.build();
// User-assigned managed identity (by client ID)
ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()
.clientId("<user-assigned-client-id>")
.build();
// User-assigned managed identity (by resource ID)
ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()
.resourceId("/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>")
.build();
```
## Service Principal with Secret
```java
import com.azure.identity.ClientSecretCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
ClientSecretCredential credential = new ClientSecretCredentialBuilder()
.tenantId("<tenant-id>")
.clientId("<client-id>")
.clientSecret("<client-secret>")
.build();
```
## Service Principal with Certificate
```java
import com.azure.identity.ClientCertificateCredential;
import com.azure.identity.ClientCertificateCredentialBuilder;
// From PEM file
ClientCertificateCredential credential = new ClientCertificateCredentialBuilder()
.tenantId("<tenant-id>")
.clientId("<client-id>")
.pemCertificate("<path-to-cert.pem>")
.build();
// From PFX file with password
ClientCertificateCredential credential = new ClientCertificateCredentialBuilder()
.tenantId("<tenant-id>")
.clientId("<client-id>")
.pfxCertificate("<path-to-cert.pfx>", "<pfx-password>")
.build();
// Send certificate chain for SNI
ClientCertificateCredential credential = new ClientCertificateCredentialBuilder()
.tenantId("<tenant-id>")
.clientId("<client-id>")
.pemCertificate("<path-to-cert.pem>")
.sendCertificateChain(true)
.build();
```
## Environment Credential
Reads credentials from environment variables.
```java
import com.azure.identity.EnvironmentCredential;
import com.azure.identity.EnvironmentCredentialBuilder;
EnvironmentCredential credential = new EnvironmentCredentialBuilder().build();
```
### Required Environment Variables
**For service principal with secret:**
```bash
AZURE_TENANT_ID=<tenant-id>
AZURE_CLIENT_ID=<client-id>
AZURE_CLIENT_SECRET=<client-secret>
```
**For service principal with certificate:**
```bash
AZURE_TENANT_ID=<tenant-id>
AZURE_CLIENT_ID=<client-id>
AZURE_CLIENT_CERTIFICATE_PATH=/path/to/cert.pem
AZURE_CLIENT_CERTIFICATE_PASSWORD=<optional-password>
```
**For username/password:**
```bash
AZURE_TENANT_ID=<tenant-id>
AZURE_CLIENT_ID=<client-id>
AZURE_USERNAME=<username>
AZURE_PASSWORD=<password>
```
## Azure CLI Credential
For local development using `az login`.
```java
import com.azure.identity.AzureCliCredential;
import com.azure.identity.AzureCliCredentialBuilder;
AzureCliCredential credential = new AzureCliCredentialBuilder()
.tenantId("<tenant-id>") // Optional: specific tenant
.build();
```
## Interactive Browser
For desktop applications requiring user login.
```java
import com.azure.identity.InteractiveBrowserCredential;
import com.azure.identity.InteractiveBrowserCredentialBuilder;
InteractiveBrowserCredential credential = new InteractiveBrowserCredentialBuilder()
.clientId("<client-id>")
.redirectUrl("http://localhost:8080") // Must match app registration
.build();
```
## Device Code
For headless devices (IoT, CLI tools).
```java
import com.azure.identity.DeviceCodeCredential;
import com.azure.identity.DeviceCodeCredentialBuilder;
DeviceCodeCredential credential = new DeviceCodeCredentialBuilder()
.clientId("<client-id>")
.challengeConsumer(challenge -> {
// Display to user
System.out.println(challenge.getMessage());
})
.build();
```
## Chained Credential
Create custom authentication chains.
```java
import com.azure.identity.ChainedTokenCredential;
import com.azure.identity.ChainedTokenCredentialBuilder;
ChainedTokenCredential credential = new ChainedTokenCredentialBuilder()
.addFirst(new ManagedIdentityCredentialBuilder().build())
.addLast(new AzureCliCredentialBuilder().build())
.build();
```
## Workload Identity (AKS)
For Azure Kubernetes Service with workload identity.
```java
import com.azure.identity.WorkloadIdentityCredential;
import com.azure.identity.WorkloadIdentityCredentialBuilder;
// Reads from AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE
WorkloadIdentityCredential credential = new WorkloadIdentityCredentialBuilder().build();
// Or explicit configuration
WorkloadIdentityCredential credential = new WorkloadIdentityCredentialBuilder()
.tenantId("<tenant-id>")
.clientId("<client-id>")
.tokenFilePath("/var/run/secrets/azure/tokens/azure-identity-token")
.build();
```
## Token Caching
Enable persistent token caching for better performance.
```java
// Enable token caching (in-memory by default)
DefaultAzureCredential credential = new DefaultAzureCredentialBuilder()
.enableAccountIdentifierLogging()
.build();
// With shared token cache (for multi-credential scenarios)
SharedTokenCacheCredential credential = new SharedTokenCacheCredentialBuilder()
.clientId("<client-id>")
.build();
```
## Sovereign Clouds
```java
import com.azure.identity.AzureAuthorityHosts;
// Azure Government
DefaultAzureCredential govCredential = new DefaultAzureCredentialBuilder()
.authorityHost(AzureAuthorityHosts.AZURE_GOVERNMENT)
.build();
// Azure China
DefaultAzureCredential chinaCredential = new DefaultAzureCredentialBuilder()
.authorityHost(AzureAuthorityHosts.AZURE_CHINA)
.build();
```
## Error Handling
```java
import com.azure.identity.CredentialUnavailableException;
import com.azure.core.exception.ClientAuthenticationException;
try {
DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();
AccessToken token = credential.getToken(new TokenRequestContext()
.addScopes("https://management.azure.com/.default"));
} catch (CredentialUnavailableException e) {
// No credential could authenticate
System.out.println("Authentication failed: " + e.getMessage());
} catch (ClientAuthenticationException e) {
// Authentication error (wrong credentials, expired, etc.)
System.out.println("Auth error: " + e.getMessage());
}
```
## Logging
Enable authentication logging for debugging.
```java
// Via environment variable
// AZURE_LOG_LEVEL=verbose
// Or programmatically
DefaultAzureCredential credential = new DefaultAzureCredentialBuilder()
.enableAccountIdentifierLogging() // Log account info
.build();
```
## Environment Variables
```bash
# DefaultAzureCredential configuration
AZURE_TENANT_ID=<tenant-id>
AZURE_CLIENT_ID=<client-id>
AZURE_CLIENT_SECRET=<client-secret>
# Managed Identity
AZURE_CLIENT_ID=<user-assigned-mi-client-id>
# Workload Identity (AKS)
AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token
# Logging
AZURE_LOG_LEVEL=verbose
# Authority host
AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/
```
## Best Practices
1. **Use DefaultAzureCredential** - Works seamlessly from dev to production
2. **Managed Identity in Production** - No secrets to manage, automatic rotation
3. **Azure CLI for Local Dev** - Run `az login` before running your app
4. **Least Privilege** - Grant only required permissions to service principals
5. **Token Caching** - Enabled by default, reduces auth round-trips
6. **Environment Variables** - Use for CI/CD, not hardcoded secrets
## Credential Selection Matrix
| Environment | Recommended Credential |
|-------------|----------------------|
| Local Development | `DefaultAzureCredential` (uses Azure CLI) |
| Azure App Service | `DefaultAzureCredential` (uses Managed Identity) |
| Azure Functions | `DefaultAzureCredential` (uses Managed Identity) |
| Azure Kubernetes Service | `WorkloadIdentityCredential` |
| Azure VMs | `DefaultAzureCredential` (uses Managed Identity) |
| CI/CD Pipeline | `EnvironmentCredential` |
| Desktop App | `InteractiveBrowserCredential` |
| CLI Tool | `DeviceCodeCredential` |
## Trigger Phrases
- "Azure authentication Java", "DefaultAzureCredential Java"
- "managed identity Java", "service principal Java"
- "Azure login Java", "Azure credentials Java"
- "AZURE_CLIENT_ID", "AZURE_TENANT_ID"
## When to Use
This skill is applicable to execute the workflow or actions described in the overview.
## Limitations
- Use this skill only when the task clearly matches the scope described above.
- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.Related Skills
identitycheck-automation
38
from lingxling/awesome-skills-cn
Automate Identitycheck tasks via Rube MCP (Composio). Always search tools first for current schemas.
playwright-java
38
from lingxling/awesome-skills-cn
Scaffold, write, debug, and enhance enterprise-grade Playwright E2E tests in Java using Page Object Model, JUnit 5, Allure reporting, and parallel execution.
n8n-code-javascript
38
from lingxling/awesome-skills-cn
Write JavaScript code in n8n Code nodes. Use when writing JavaScript in n8n, using $input/$json/$node syntax, making HTTP requests with $helpers, working with dates using DateTime, troubleshooting Code node errors, or choosing between Code node modes.
modern-javascript-patterns
38
from lingxling/awesome-skills-cn
Comprehensive guide for mastering modern JavaScript (ES6+) features, functional programming patterns, and best practices for writing clean, maintainable, and performant code.
microsoft-azure-webjobs-extensions-authentication-events-dotnet
38
from lingxling/awesome-skills-cn
Microsoft Entra Authentication Events SDK for .NET. Azure Functions triggers for custom authentication extensions.
javascript-typescript-typescript-scaffold
38
from lingxling/awesome-skills-cn
You are a TypeScript project architecture expert specializing in scaffolding production-ready Node.js and frontend applications. Generate complete project structures with modern tooling (pnpm, Vite, N
javascript-testing-patterns
38
from lingxling/awesome-skills-cn
Comprehensive guide for implementing robust testing strategies in JavaScript/TypeScript applications using modern testing frameworks and best practices.
java-pro
38
from lingxling/awesome-skills-cn
Master Java 21+ with modern features like virtual threads, pattern matching, and Spring Boot 3.x. Expert in the latest Java ecosystem including GraalVM, Project Loom, and cloud-native patterns.
identity-mirror
38
from lingxling/awesome-skills-cn
One sentence - what this skill does and when to invoke it
azure-web-pubsub-ts
38
from lingxling/awesome-skills-cn
Real-time messaging with WebSocket connections and pub/sub patterns.
azure-storage-queue-ts
38
from lingxling/awesome-skills-cn
Azure Queue Storage JavaScript/TypeScript SDK (@azure/storage-queue) for message queue operations. Use for sending, receiving, peeking, and deleting messages in queues.
azure-storage-queue-py
38
from lingxling/awesome-skills-cn
Azure Queue Storage SDK for Python. Use for reliable message queuing, task distribution, and asynchronous processing.