Azure Identity SDK

1.23.1 · active · verified Tue Mar 17

Microsoft's Azure authentication library for Python. Provides credential classes for authenticating against Azure services. Primary interface is DefaultAzureCredential which chains multiple credential sources. Current version is 1.23.1 (Mar 2026).

Warnings

breaking DefaultAzureCredential silently picks wrong identity. In dev with az login active, authenticates as personal account instead of service principal. Auth succeeds with no error but wrong identity.
Fix: In production use ManagedIdentityCredential() or ClientSecretCredential(tenant_id, client_id, client_secret) explicitly. Reserve DefaultAzureCredential for local dev only.
breaking Multi-tenant token requests fail since v1.11.0. Error: 'The current credential is not configured to acquire tokens for tenant X.' Breaks when using az login --tenant with a different tenant than your resource.
Fix: credential = DefaultAzureCredential(additionally_allowed_tenants=['*'])
gotcha VisualStudioCodeCredential was removed from DefaultAzureCredential chain, then re-enabled in a later version. Behaviour varies by version. Requires azure-identity-broker to work in current versions.
Fix: Explicitly exclude if not needed: DefaultAzureCredential(exclude_visual_studio_code_credential=True)
gotcha Async credentials in azure.identity.aio must be explicitly closed. Failing to close leaks transport sessions.
Fix: async with DefaultAzureCredential() as credential: token = await credential.get_token(scope)
gotcha DEBUG logging via logging_enable=True exposes tokens and secrets in logs.
Fix: Never set logging_enable=True in production.
deprecated Python 3.8 support dropped August 2025. Python 3.9 support ends April 2026.
Fix: Use Python 3.10+ for new projects.

Install

pip install azure-identity Python (core)
pip install azure-identity-broker Python (broker/WAM support)

Imports

DefaultAzureCredential
```
from azure.identity import DefaultAzureCredential
```
Always import directly from azure.identity. Use async variant from azure.identity.aio for async code.
ManagedIdentityCredential
```
from azure.identity import ManagedIdentityCredential
```
Use ManagedIdentityCredential explicitly in production instead of DefaultAzureCredential to avoid silent wrong-identity issues.
AsyncDefaultAzureCredential
```
from azure.identity.aio import DefaultAzureCredential
```
Async credentials live in azure.identity.aio, not azure.identity.

Quickstart

Minimal Azure authentication using DefaultAzureCredential 1.23.x.

from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient

# reads from env, CLI, managed identity etc in order
credential = DefaultAzureCredential()
client = BlobServiceClient(
    account_url='https://<account>.blob.core.windows.net',
    credential=credential
)

view raw JSON →