azure-identity-dotnet
Azure Identity SDK for .NET. Authentication library for Azure SDK clients using Microsoft Entra ID. Use for DefaultAzureCredential, managed identity, service principals, and developer credentials.
About this skill
The `azure-identity-dotnet` skill equips AI agents with comprehensive knowledge of the Azure Identity SDK for .NET. This allows agents to assist developers by explaining, generating, and troubleshooting code for various Azure authentication scenarios, including `DefaultAzureCredential`, managed identities, service principals, and developer credentials. It leverages Microsoft Entra ID (formerly Azure AD) to secure interactions with Azure SDK clients, making it an essential reference for any .NET application connecting to Azure services.
Best use case
Assisting .NET developers in implementing secure and robust authentication mechanisms for Azure SDK clients. Generating accurate code examples for different authentication flows. Providing guidance on best practices for Azure identity management in .NET applications.
Azure Identity SDK for .NET. Authentication library for Azure SDK clients using Microsoft Entra ID. Use for DefaultAzureCredential, managed identity, service principals, and developer credentials.
Clear, actionable guidance or generated .NET code demonstrating secure Azure authentication. A developer's understanding of Azure identity in .NET applications is improved. Reduced time spent on implementing and debugging authentication logic.
Practical example
Example input
Help me set up `DefaultAzureCredential` in my C# application to connect to Azure Key Vault. Provide code.
Example output
// Add the necessary packages:
// dotnet add package Azure.Identity
// dotnet add package Azure.Security.KeyVault.Secrets
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using System;
// The DefaultAzureCredential will try various authentication methods in order:
// 1. Environment variables (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET or AZURE_CLIENT_CERTIFICATE_PATH)
// 2. Managed Identity (if running on Azure VM, App Service, Function App etc.)
// 3. Developer credentials (Azure CLI, Visual Studio, Visual Studio Code)
var credential = new DefaultAzureCredential();
var keyVaultUri = new Uri("https://<your-key-vault-name>.vault.azure.net/");
var client = new SecretClient(keyVaultUri, credential);
try
{
KeyVaultSecret secret = await client.GetSecretAsync("YourSecretName");
Console.WriteLine($"Secret value: {secret.Value}");
}
catch (Exception ex)
{
Console.WriteLine($"Error retrieving secret: {ex.Message}");
}When to use this skill
- When a .NET developer needs to integrate their application with Azure services and requires authentication. When explaining authentication options like `DefaultAzureCredential` to a developer. When generating code snippets for authenticating with managed identities or service principals. When troubleshooting Azure authentication errors in a .NET context.
When not to use this skill
- When the application is not built with .NET. When the authentication target is not an Azure service. When the AI agent's task is to *perform* an Azure action directly, rather than providing code or guidance for authentication (the agent would use *another* skill for the action itself, once authentication is handled).
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/azure-identity-dotnet/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How azure-identity-dotnet Compares
| Feature / Agent | azure-identity-dotnet | Standard Approach |
|---|---|---|
| Platform Support | Claude, GitHub Copilot, Cursor, DeepSeek, Windsurf, Cline, Roo Code, OpenCode, Aider, Continue | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | easy | N/A |
Frequently Asked Questions
What does this skill do?
Azure Identity SDK for .NET. Authentication library for Azure SDK clients using Microsoft Entra ID. Use for DefaultAzureCredential, managed identity, service principals, and developer credentials.
Which AI agents support this skill?
This skill is designed for Claude, GitHub Copilot, Cursor, DeepSeek, Windsurf, Cline, Roo Code, OpenCode, Aider, Continue.
How difficult is it to install?
The installation complexity is rated as easy. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# Azure.Identity (.NET)
Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).
## Installation
```bash
dotnet add package Azure.Identity
# For ASP.NET Core
dotnet add package Microsoft.Extensions.Azure
# For brokered authentication (Windows)
dotnet add package Azure.Identity.Broker
```
**Current Versions**: Stable v1.17.1, Preview v1.18.0-beta.2
## Environment Variables
### Service Principal with Secret
```bash
AZURE_CLIENT_ID=<application-client-id>
AZURE_TENANT_ID=<directory-tenant-id>
AZURE_CLIENT_SECRET=<client-secret-value>
```
### Service Principal with Certificate
```bash
AZURE_CLIENT_ID=<application-client-id>
AZURE_TENANT_ID=<directory-tenant-id>
AZURE_CLIENT_CERTIFICATE_PATH=<path-to-pfx-or-pem>
AZURE_CLIENT_CERTIFICATE_PASSWORD=<certificate-password> # Optional
```
### Managed Identity
```bash
AZURE_CLIENT_ID=<user-assigned-managed-identity-client-id> # Only for user-assigned
```
## DefaultAzureCredential
The recommended credential for most scenarios. Tries multiple authentication methods in order:
| Order | Credential | Enabled by Default |
|-------|------------|-------------------|
| 1 | EnvironmentCredential | Yes |
| 2 | WorkloadIdentityCredential | Yes |
| 3 | ManagedIdentityCredential | Yes |
| 4 | VisualStudioCredential | Yes |
| 5 | VisualStudioCodeCredential | Yes |
| 6 | AzureCliCredential | Yes |
| 7 | AzurePowerShellCredential | Yes |
| 8 | AzureDeveloperCliCredential | Yes |
| 9 | InteractiveBrowserCredential | **No** |
### Basic Usage
```csharp
using Azure.Identity;
using Azure.Storage.Blobs;
var credential = new DefaultAzureCredential();
var blobClient = new BlobServiceClient(
new Uri("https://myaccount.blob.core.windows.net"),
credential);
```
### ASP.NET Core with Dependency Injection
```csharp
using Azure.Identity;
using Microsoft.Extensions.Azure;
builder.Services.AddAzureClients(clientBuilder =>
{
clientBuilder.AddBlobServiceClient(
new Uri("https://myaccount.blob.core.windows.net"));
clientBuilder.AddSecretClient(
new Uri("https://myvault.vault.azure.net"));
// Uses DefaultAzureCredential by default
clientBuilder.UseCredential(new DefaultAzureCredential());
});
```
### Customizing DefaultAzureCredential
```csharp
var credential = new DefaultAzureCredential(
new DefaultAzureCredentialOptions
{
ExcludeEnvironmentCredential = true,
ExcludeManagedIdentityCredential = false,
ExcludeVisualStudioCredential = false,
ExcludeAzureCliCredential = false,
ExcludeInteractiveBrowserCredential = false, // Enable interactive
TenantId = "<tenant-id>",
ManagedIdentityClientId = "<user-assigned-mi-client-id>"
});
```
## Credential Types
### ManagedIdentityCredential (Production)
```csharp
// System-assigned managed identity
var credential = new ManagedIdentityCredential(ManagedIdentityId.SystemAssigned);
// User-assigned by client ID
var credential = new ManagedIdentityCredential(
ManagedIdentityId.FromUserAssignedClientId("<client-id>"));
// User-assigned by resource ID
var credential = new ManagedIdentityCredential(
ManagedIdentityId.FromUserAssignedResourceId("<resource-id>"));
```
### ClientSecretCredential
```csharp
var credential = new ClientSecretCredential(
tenantId: "<tenant-id>",
clientId: "<client-id>",
clientSecret: "<client-secret>");
var client = new SecretClient(
new Uri("https://myvault.vault.azure.net"),
credential);
```
### ClientCertificateCredential
```csharp
var certificate = X509CertificateLoader.LoadCertificateFromFile("MyCertificate.pfx");
var credential = new ClientCertificateCredential(
tenantId: "<tenant-id>",
clientId: "<client-id>",
certificate);
```
### ChainedTokenCredential (Custom Chain)
```csharp
var credential = new ChainedTokenCredential(
new ManagedIdentityCredential(),
new AzureCliCredential());
var client = new SecretClient(
new Uri("https://myvault.vault.azure.net"),
credential);
```
### Developer Credentials
```csharp
// Azure CLI
var credential = new AzureCliCredential();
// Azure PowerShell
var credential = new AzurePowerShellCredential();
// Azure Developer CLI (azd)
var credential = new AzureDeveloperCliCredential();
// Visual Studio
var credential = new VisualStudioCredential();
// Interactive Browser
var credential = new InteractiveBrowserCredential();
```
## Environment-Based Configuration
```csharp
// Production vs Development
TokenCredential credential = builder.Environment.IsProduction()
? new ManagedIdentityCredential("<client-id>")
: new DefaultAzureCredential();
```
## Sovereign Clouds
```csharp
var credential = new DefaultAzureCredential(
new DefaultAzureCredentialOptions
{
AuthorityHost = AzureAuthorityHosts.AzureGovernment
});
// Available authority hosts:
// AzureAuthorityHosts.AzurePublicCloud (default)
// AzureAuthorityHosts.AzureGovernment
// AzureAuthorityHosts.AzureChina
// AzureAuthorityHosts.AzureGermany
```
## Credential Types Reference
| Category | Credential | Purpose |
|----------|------------|---------|
| **Chains** | `DefaultAzureCredential` | Preconfigured chain for dev-to-prod |
| | `ChainedTokenCredential` | Custom credential chain |
| **Azure-Hosted** | `ManagedIdentityCredential` | Azure managed identity |
| | `WorkloadIdentityCredential` | Kubernetes workload identity |
| | `EnvironmentCredential` | Environment variables |
| **Service Principal** | `ClientSecretCredential` | Client ID + secret |
| | `ClientCertificateCredential` | Client ID + certificate |
| | `ClientAssertionCredential` | Signed client assertion |
| **User** | `InteractiveBrowserCredential` | Browser-based auth |
| | `DeviceCodeCredential` | Device code flow |
| | `OnBehalfOfCredential` | Delegated identity |
| **Developer** | `AzureCliCredential` | Azure CLI |
| | `AzurePowerShellCredential` | Azure PowerShell |
| | `AzureDeveloperCliCredential` | Azure Developer CLI |
| | `VisualStudioCredential` | Visual Studio |
## Best Practices
### 1. Use Deterministic Credentials in Production
```csharp
// Development
var devCredential = new DefaultAzureCredential();
// Production - use specific credential
var prodCredential = new ManagedIdentityCredential("<client-id>");
```
### 2. Reuse Credential Instances
```csharp
// Good: Single credential instance shared across clients
var credential = new DefaultAzureCredential();
var blobClient = new BlobServiceClient(blobUri, credential);
var secretClient = new SecretClient(vaultUri, credential);
```
### 3. Configure Retry Policies
```csharp
var options = new ManagedIdentityCredentialOptions(
ManagedIdentityId.FromUserAssignedClientId(clientId))
{
Retry =
{
MaxRetries = 3,
Delay = TimeSpan.FromSeconds(0.5),
}
};
var credential = new ManagedIdentityCredential(options);
```
### 4. Enable Logging for Debugging
```csharp
using Azure.Core.Diagnostics;
using AzureEventSourceListener listener = new((args, message) =>
{
if (args is { EventSource.Name: "Azure-Identity" })
{
Console.WriteLine(message);
}
}, EventLevel.LogAlways);
```
## Error Handling
```csharp
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
var client = new SecretClient(
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential());
try
{
KeyVaultSecret secret = await client.GetSecretAsync("secret1");
}
catch (AuthenticationFailedException e)
{
Console.WriteLine($"Authentication Failed: {e.Message}");
}
catch (CredentialUnavailableException e)
{
Console.WriteLine($"Credential Unavailable: {e.Message}");
}
```
## Key Exceptions
| Exception | Description |
|-----------|-------------|
| `AuthenticationFailedException` | Base exception for authentication errors |
| `CredentialUnavailableException` | Credential cannot authenticate in current environment |
| `AuthenticationRequiredException` | Interactive authentication is required |
## Managed Identity Support
Supported Azure services:
- Azure App Service and Azure Functions
- Azure Arc
- Azure Cloud Shell
- Azure Kubernetes Service (AKS)
- Azure Service Fabric
- Azure Virtual Machines
- Azure Virtual Machine Scale Sets
## Thread Safety
All credential implementations are thread-safe. A single credential instance can be safely shared across multiple clients and threads.
## Related SDKs
| SDK | Purpose | Install |
|-----|---------|---------|
| `Azure.Identity` | Authentication (this SDK) | `dotnet add package Azure.Identity` |
| `Microsoft.Extensions.Azure` | DI integration | `dotnet add package Microsoft.Extensions.Azure` |
| `Azure.Identity.Broker` | Brokered auth (Windows) | `dotnet add package Azure.Identity.Broker` |
## Reference Links
| Resource | URL |
|----------|-----|
| NuGet Package | https://www.nuget.org/packages/Azure.Identity |
| API Reference | https://learn.microsoft.com/dotnet/api/azure.identity |
| Credential Chains | https://learn.microsoft.com/dotnet/azure/sdk/authentication/credential-chains |
| Best Practices | https://learn.microsoft.com/dotnet/azure/sdk/authentication/best-practices |
| GitHub Source | https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/identity/Azure.Identity |
## When to Use
This skill is applicable to execute the workflow or actions described in the overview.Related Skills
clerk-auth
Expert patterns for Clerk auth implementation, middleware, organizations, webhooks, and user sync
microsoft-azure-webjobs-extensions-authentication-events-dotnet
Microsoft Entra Authentication Events SDK for .NET. Azure Functions triggers for custom authentication extensions.
dotnet-backend
Build ASP.NET Core 8+ backend services with EF Core, auth, background jobs, and production API patterns.
dotnet-backend-patterns
Master C#/.NET patterns for building production-grade APIs, MCP servers, and enterprise backends with modern best practices (2024/2025).
dotnet-architect
Expert .NET backend architect specializing in C#, ASP.NET Core, Entity Framework, Dapper, and enterprise application patterns.
azure-web-pubsub-ts
Real-time messaging with WebSocket connections and pub/sub patterns.
azure-storage-queue-ts
Azure Queue Storage JavaScript/TypeScript SDK (@azure/storage-queue) for message queue operations. Use for sending, receiving, peeking, and deleting messages in queues.
azure-storage-queue-py
Azure Queue Storage SDK for Python. Use for reliable message queuing, task distribution, and asynchronous processing.
azure-storage-file-share-ts
Azure File Share JavaScript/TypeScript SDK (@azure/storage-file-share) for SMB file share operations.
azure-storage-file-share-py
Azure Storage File Share SDK for Python. Use for SMB file shares, directories, and file operations in the cloud.
azure-storage-file-datalake-py
Azure Data Lake Storage Gen2 SDK for Python. Use for hierarchical file systems, big data analytics, and file/directory operations.
azure-storage-blob-ts
Azure Blob Storage JavaScript/TypeScript SDK (@azure/storage-blob) for blob operations. Use for uploading, downloading, listing, and managing blobs and containers.