Azure authentication in Python development environments
This article describes methods for authenticating applications with Azure services within development environments so that you can run those applications locally:
- CLI-based authentication using
AzureCliCredential. - Interactive browser authentication using
InteractiveBrowserCredential. - Device code authentication using
DeviceCodeCredential. - Authentication through Visual Studio Code using
VisualStudioCodeCredential.
The authentication methods described here are convenient for development work because they don't require explicit role assignments. For this reason, however, they cannot be used with production code.
In all cases, the user or service principal involved must have appropriate permissions for the resources and operation in question.
If you haven't already, review the Authentication Overview for important details that apply to all authentication methods, namely assigning application identity, granting permissions to an identity, and when authentication and authorization occur when using Azure libraries.
CLI-based authentication
In this method, you create a client object using the credentials of the user signed in with the Azure CLI command az login. CLI-based authentication works only for development purposes because it cannot be used in production environments.
The Azure libraries use the default subscription ID, or you can set the subscription prior to running the code using az account.
Precautions
When using CLI-based authentication, the application is authorized for any and all operations allowed by the CLI login credentials. As a result, if you are the owner or administrator of your subscription, your code has inherent access to most resources in that subscription without having to assign any specific permissions. This behavior is convenient for experimentation. However, we highly recommend that you use Azure managed identities and assign specific permissions when writing production code because you learn how to assign exact permissions to different identities and can accurately validate those permissions in test environments before deploying to production. You can also use specific service principals in a similar manner, but doing so required handling secrets in your application code, which is not needed with managed identities.
CLI-based authentication with azure.core libraries
When using Azure libraries that are updated for azure.core, use the AzureCliCredential object from the azure-identity library (version 1.4.0+). For example, the following code can be used with azure-mgmt-resource versions 15.0.0+:
# Show Azure subscription information
from azure.identity import AzureCliCredential
from azure.mgmt.resource import SubscriptionClient
credential = AzureCliCredential()
subscription_client = SubscriptionClient(credential)
subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)
CLI-based authentication with older (non azure.core) libraries
When using older Azure libraries that have not been updated for azure.core, you can use the get_client_from_cli_profile method from the azure-cli-core library. For example, the following code can be used with versions of azure-mgmt-resource below 15.0.0:
# For using version of azure-mgmt-resource below 15.0.0.
# Requires installing the azure-cli-core library as well.
from azure.common.client_factory import get_client_from_cli_profile
from azure.mgmt.resource import SubscriptionClient
subscription_client = get_client_from_cli_profile(SubscriptionClient)
subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)
Interactive browser authentication
This method interactively authenticates an application through InteractiveBrowserCredential by collecting user credentials in the default system.
Interactive browser authentication enables the same broad permissions as CLI-based authentication and should be used with the same precautions.
Enable applications for interactive browser authentication
Perform the following steps to enable the application to authenticate through the interactive browser flow. These steps also work for device code authentication described later. Following this process is necessary only if using InteractiveBrowserCredential in your code.
- On the Azure portal, navigate to Azure Active Directory and select App registrations on the left-hand menu.
- Select the registration for your app, then select Authentication.
- Under Advanced settings, select Yes for Allow public client flows.
- Select Save to apply the changes.
- To authorize the application for specific resources, navigate to the resource in question, select API Permissions, and enable Microsoft Graph and other resources you want to access. Microsoft Graph is usually enabled by default.
- You must also be the admin of your tenant to grant consent to your application when you log in for the first time.
If you can't configure the device code flow option on your Active Directory, your application may need to be multi-tenant. To make this change, navigate to the Authentication panel, select Accounts in any organizational directory (under Supported account types), and then select Yes for Allow public client flows.
Example using InteractiveBrowserCredential
The following example demonstrates using an InteractiveBrowserCredential to authenticate with the SubscriptionClient:
# Show Azure subscription information
import os
from azure.identity import InteractiveBrowserCredential
from azure.mgmt.resource import SubscriptionClient
credential = InteractiveBrowserCredential()
subscription_client = SubscriptionClient(credential)
subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)
For more exact control, such as setting redirect URIs, you can supply specific arguments to InteractiveBrowserCredential such as redirect_uri.
Device code authentication
This method interactively authenticates a user on devices with limited UI (typically devices without a keyboard):
- When the application attempts to authenticate, the credential prompts the user with a URL and an authentication code.
- The user visits the URL on a separate browser-enabled device (a computer, smartphone, etc.) and enters the code.
- The user follows a normal authentication process in the browser.
- Upon successful authentication, the application is authenticated on the device.
For more information, see Microsoft identity platform and the OAuth 2.0 device authorization grant flow.
Device code authentication in a development environment enables the same broad permissions as CLI-based authentication and should be used with the same precautions. However, you can use this method with a specific client ID, rather than the default, for which you can assign specific permissions.
Enable applications for device code authentication
To enable applications for device code authentication, follow the steps under Enable applications for interactive browser authentication.
Example using DeviceCodeCredential
The following example demonstrates using a DeviceCodeCredential to authenticate with the SubscriptionClient:
# Show Azure subscription information
from azure.identity import DeviceCodeCredential
from azure.mgmt.resource import SubscriptionClient
credential = DeviceCodeCredential()
subscription_client = SubscriptionClient(credential)
subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)
Authentication through Visual Studio Code
The 'VisualStudioCodeCredential authenticates using the credentials with which the user signs in to the Azure Account extension. The user must first sign in using the Azure: Sign In command in the Visual Studio Code command palette, which opens a browser to initiate a sign-in flow. Once sign-in is completed, any other independent application (such as other development tools) can use this credential to authenticate with Azure. Applications need not be running in Visual Studio Code, and Visual Studio Code itself doesn't need to be running.
Example using VisualStudioCodeCredential
The following example demonstrates using a 'VisualStudioCodeCredential](/python/api/azure-identity/azure.identity.visualstudiocodecredential) to authenticate with the [SubscriptionClient`:
# Show Azure subscription information
from azure.identity import VisualStudioCodeCredential
from azure.mgmt.resource import SubscriptionClient
credential = VisualStudioCodeCredential()
subscription_client = SubscriptionClient(credential)
subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)
See also
- Authentication overview
- Configure your local Python dev environment for Azure
- How to assign role permissions
- Example: Provision a resource group
- Example: Provision and use Azure Storage
- Example: Provision a web app and deploy code
- Example: Provision and use a MySQL database
- Example: Provision a virtual machine
- Use Azure Managed Disks with virtual machines
- Complete a short survey about the Azure SDK for Python