Azure authentication in Python development environments

This article describes methods for authenticating applications with Azure services within development environments so that you can run those applications locally:

The authentication methods described here are convenient for development work because they don't require explicit role assignments. For this reason, however, they cannot be used with production code.

In all cases, the user or service principal involved must have appropriate permissions for the resources and operation in question.

If you haven't already, review the Authentication Overview for important details that apply to all authentication methods, namely assigning application identity, granting permissions to an identity, and when authentication and authorization occur when using Azure libraries.

CLI-based authentication

In this method, you create a client object using the credentials of the user signed in with the Azure CLI command az login. CLI-based authentication works only for development purposes because it cannot be used in production environments.

The Azure libraries use the default subscription ID, or you can set the subscription prior to running the code using az account.

Precautions

When using CLI-based authentication, the application is authorized for any and all operations allowed by the CLI login credentials. As a result, if you are the owner or administrator of your subscription, your code has inherent access to most resources in that subscription without having to assign any specific permissions. This behavior is convenient for experimentation. However, we highly recommend that you use Azure managed identities and assign specific permissions when writing production code because you learn how to assign exact permissions to different identities and can accurately validate those permissions in test environments before deploying to production. You can also use specific service principals in a similar manner, but doing so required handling secrets in your application code, which is not needed with managed identities.

CLI-based authentication with azure.core libraries

When using Azure libraries that are updated for azure.core, use the AzureCliCredential object from the azure-identity library (version 1.4.0+). For example, the following code can be used with azure-mgmt-resource versions 15.0.0+:

# Show Azure subscription information

from azure.identity import AzureCliCredential
from azure.mgmt.resource import SubscriptionClient

credential = AzureCliCredential()
subscription_client = SubscriptionClient(credential)

subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)

CLI-based authentication with older (non azure.core) libraries

When using older Azure libraries that have not been updated for azure.core, you can use the get_client_from_cli_profile method from the azure-cli-core library. For example, the following code can be used with versions of azure-mgmt-resource below 15.0.0:

# For using version of azure-mgmt-resource below 15.0.0.
# Requires installing the azure-cli-core library as well.

from azure.common.client_factory import get_client_from_cli_profile
from azure.mgmt.resource import SubscriptionClient

subscription_client = get_client_from_cli_profile(SubscriptionClient)

subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)

Interactive browser authentication

This method interactively authenticates an application through InteractiveBrowserCredential by collecting user credentials in the default system.

Interactive browser authentication enables the same broad permissions as CLI-based authentication and should be used with the same precautions.

Enable applications for interactive browser authentication

Perform the following steps to enable the application to authenticate through the interactive browser flow. These steps also work for device code authentication described later. Following this process is necessary only if using InteractiveBrowserCredential in your code.

  1. On the Azure portal, navigate to Azure Active Directory and select App registrations on the left-hand menu.
  2. Select the registration for your app, then select Authentication.
  3. Under Advanced settings, select Yes for Allow public client flows.
  4. Select Save to apply the changes.
  5. To authorize the application for specific resources, navigate to the resource in question, select API Permissions, and enable Microsoft Graph and other resources you want to access. Microsoft Graph is usually enabled by default.
    1. You must also be the admin of your tenant to grant consent to your application when you log in for the first time.

If you can't configure the device code flow option on your Active Directory, your application may need to be multi-tenant. To make this change, navigate to the Authentication panel, select Accounts in any organizational directory (under Supported account types), and then select Yes for Allow public client flows.

Example using InteractiveBrowserCredential

The following example demonstrates using an InteractiveBrowserCredential to authenticate with the SubscriptionClient:

# Show Azure subscription information

import os
from azure.identity import InteractiveBrowserCredential
from azure.mgmt.resource import SubscriptionClient

credential = InteractiveBrowserCredential()
subscription_client = SubscriptionClient(credential)

subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)

For more exact control, such as setting redirect URIs, you can supply specific arguments to InteractiveBrowserCredential such as redirect_uri.

Device code authentication

This method interactively authenticates a user on devices with limited UI (typically devices without a keyboard):

  1. When the application attempts to authenticate, the credential prompts the user with a URL and an authentication code.
  2. The user visits the URL on a separate browser-enabled device (a computer, smartphone, etc.) and enters the code.
  3. The user follows a normal authentication process in the browser.
  4. Upon successful authentication, the application is authenticated on the device.

For more information, see Microsoft identity platform and the OAuth 2.0 device authorization grant flow.

Device code authentication in a development environment enables the same broad permissions as CLI-based authentication and should be used with the same precautions. However, you can use this method with a specific client ID, rather than the default, for which you can assign specific permissions.

Enable applications for device code authentication

To enable applications for device code authentication, follow the steps under Enable applications for interactive browser authentication.

Example using DeviceCodeCredential

The following example demonstrates using a DeviceCodeCredential to authenticate with the SubscriptionClient:

# Show Azure subscription information

from azure.identity import DeviceCodeCredential
from azure.mgmt.resource import SubscriptionClient

credential = DeviceCodeCredential()
subscription_client = SubscriptionClient(credential)

subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)

Authentication through Visual Studio Code

The 'VisualStudioCodeCredential authenticates using the credentials with which the user signs in to the Azure Account extension. The user must first sign in using the Azure: Sign In command in the Visual Studio Code command palette, which opens a browser to initiate a sign-in flow. Once sign-in is completed, any other independent application (such as other development tools) can use this credential to authenticate with Azure. Applications need not be running in Visual Studio Code, and Visual Studio Code itself doesn't need to be running.

Example using VisualStudioCodeCredential

The following example demonstrates using a 'VisualStudioCodeCredential](/python/api/azure-identity/azure.identity.visualstudiocodecredential) to authenticate with the [SubscriptionClient`:

# Show Azure subscription information

from azure.identity import VisualStudioCodeCredential
from azure.mgmt.resource import SubscriptionClient

credential = VisualStudioCodeCredential()
subscription_client = SubscriptionClient(credential)

subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)

See also