{"library":"microsoft-kiota-authentication-azure","title":"Microsoft Kiota Azure Authentication","description":"The Microsoft Kiota Authentication Azure Library provides an implementation to authenticate HTTP requests for Kiota-generated API clients using `azure-identity`. It allows Python applications to securely access APIs protected by the Microsoft Entra Identity Platform. The library is actively maintained with frequent minor releases, typically on a monthly cadence, synchronizing versions with other Kiota Python packages.","status":"active","version":"1.9.10","language":"en","source_language":"en","source_url":"https://github.com/microsoft/kiota-python/tree/main/packages/authentication/azure","tags":["authentication","azure","kiota","microsoft","identity","oauth2"],"install":[{"cmd":"pip install microsoft-kiota-authentication-azure","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Provides the credential objects (e.g., DeviceCodeCredential, DefaultAzureCredential) required by the AzureIdentityAuthenticationProvider for token acquisition. This is a mandatory peer dependency for functionality.","package":"azure-identity","optional":false},{"reason":"Contains core interfaces and classes fundamental to all Kiota generated clients and providers, including IAuthenticationProvider. This is a core dependency for any Kiota project.","package":"microsoft-kiota-abstractions","optional":false},{"reason":"Provides the default HTTPX-based request adapter (HttpxRequestAdapter) which consumes the authentication provider to make authenticated requests. Required if using Kiota's default HTTP client implementation.","package":"microsoft-kiota-http","optional":true}],"imports":[{"symbol":"AzureIdentityAuthenticationProvider","correct":"from microsoft_kiota_authentication_azure import AzureIdentityAuthenticationProvider"},{"note":"While 'aio' submodules exist in azure-identity for some credentials, the primary DeviceCodeCredential is directly under azure.identity and compatible with Kiota's async model.","wrong":"from azure.identity.aio import DeviceCodeCredential","symbol":"DeviceCodeCredential","correct":"from azure.identity import DeviceCodeCredential"}],"quickstart":{"code":"import os\nimport asyncio\nfrom azure.identity import DeviceCodeCredential\nfrom microsoft_kiota_authentication_azure import AzureIdentityAuthenticationProvider\nfrom microsoft_kiota_http.httpx_request_adapter import HttpxRequestAdapter\nfrom kiota_abstractions.request_information import RequestInformation, HttpMethod\nfrom kiota_abstractions.serialization import ParseNodeFactoryRegistry, SerializationWriterFactoryRegistry\n\nasync def main():\n    # 1. Obtain a TokenCredential from azure-identity.\n    # For local development, DeviceCodeCredential is often used.\n    # Ensure you have registered an application in Azure AD and have its CLIENT_ID.\n    # Set AZURE_CLIENT_ID environment variable or pass client_id directly.\n    client_id = os.environ.get('AZURE_CLIENT_ID', 'YOUR_CLIENT_ID_HERE')\n    if client_id == 'YOUR_CLIENT_ID_HERE':\n        print(\"Please set the AZURE_CLIENT_ID environment variable or replace 'YOUR_CLIENT_ID_HERE'.\")\n        return\n\n    credential = DeviceCodeCredential(client_id=client_id)\n\n    # 2. Create the AzureIdentityAuthenticationProvider.\n    # The allowed_hosts list is crucial for security, specifying which domains\n    # the authentication provider is allowed to send tokens to.\n    allowed_hosts = [\"graph.microsoft.com\", \"yourtenant.onmicrosoft.com\"]\n    auth_provider = AzureIdentityAuthenticationProvider(credential, allowed_hosts)\n\n    # 3. Create a RequestAdapter using the authentication provider.\n    # HttpxRequestAdapter is Kiota's default HTTP client implementation.\n    # You also need a ParseNodeFactoryRegistry and SerializationWriterFactoryRegistry\n    # for a fully functional adapter, even if not directly used in this simple auth example.\n    request_adapter = HttpxRequestAdapter(\n        auth_provider,\n        parse_node_factory=ParseNodeFactoryRegistry(),\n        serialization_writer_factory=SerializationWriterFactoryRegistry()\n    )\n\n    # 4. Illustrative use: Create a RequestInformation object and send it (conceptually).\n    # In a real scenario, this would be part of a Kiota-generated API client call.\n    request_info = RequestInformation(HttpMethod.GET, \"https://graph.microsoft.com/v1.0/me\")\n    print(f\"\\nAttempting to authenticate request to: {request_info.url_template}\")\n    \n    # The authenticate_request method is typically called internally by the RequestAdapter.\n    # We call it here to demonstrate its direct usage and token acquisition.\n    try:\n        await auth_provider.authenticate_request(request_info)\n        print(\"Authentication provider prepared the request with a token.\")\n        if request_info.headers and 'Authorization' in request_info.headers:\n            print(\"Authorization header added successfully.\")\n        else:\n            print(\"Authorization header not found after authentication.\")\n        # In a real app, you'd then use request_adapter.send(request_info, ...) to make the call\n        print(\"\\nQuickstart setup complete. You would now use this request_adapter with a Kiota-generated client.\")\n    except Exception as e:\n        print(f\"An error occurred during authentication: {e}\")\n        print(\"Ensure your AZURE_CLIENT_ID is correct and your application registration supports the chosen credential type (e.g., Device Code Flow).\")\n\nif __name__ == '__main__':\n    asyncio.run(main())","lang":"python","description":"This quickstart demonstrates how to set up the `AzureIdentityAuthenticationProvider` with an `azure-identity` credential (like `DeviceCodeCredential`) and integrate it into a `HttpxRequestAdapter`. It highlights the essential steps to prepare an authenticated request, typically used by a Kiota-generated API client. Remember to replace 'YOUR_CLIENT_ID_HERE' or set the `AZURE_CLIENT_ID` environment variable with your Azure AD application's client ID. Also, configure your Azure application registration to support the Device Code Flow for this example."},"warnings":[{"fix":"Always pass an initialized `AzureIdentityAuthenticationProvider` (or another appropriate provider) to your `RequestAdapter` during its instantiation.","message":"Kiota-generated API clients do not inherently include authentication logic. You must explicitly instantiate and provide an `IAuthenticationProvider` (like `AzureIdentityAuthenticationProvider`) to the client or request adapter. Failing to do so will result in unauthenticated requests.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Verify your Azure AD application registration settings, including client ID, supported account types, API permissions, and enabled authentication flows (e.g., Device Code Flow for `DeviceCodeCredential`). Refer to Azure Identity documentation for credential-specific setup.","message":"The `azure-identity` library requires proper configuration of Azure AD application registrations. Issues like incorrect client IDs, unsupported authentication flows, or missing API permissions for your application will prevent token acquisition and result in authentication failures.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Before upgrading to a new major version, review the release notes and changelogs for breaking changes. Regenerate your Kiota API clients with the updated Kiota CLI and thoroughly test your application.","message":"Major releases of Kiota tooling and its libraries (including authentication) are expected to contain breaking changes to their public API surface area. This means regenerating clients and updating library versions can require code adjustments.","severity":"breaking","affected_versions":"Major version increments (e.g., 1.x.x to 2.x.x)"},{"fix":"Ensure that all target hosts to which your Kiota client will send authenticated requests are explicitly listed in the `allowed_hosts` array when initializing `AzureIdentityAuthenticationProvider`.","message":"The `allowed_hosts` parameter in `AzureIdentityAuthenticationProvider` is critical for security. If the host of the API endpoint you are trying to reach is not in this list, the authentication provider will not attach the access token, leading to unauthorized errors from the API.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-06T00:00:00.000Z","next_check":"2026-07-05T00:00:00.000Z"}