Azure Identity SDK

1.23.1 verified Mon May 11 auth: no python install: verified quickstart: stale

Microsoft's Azure authentication library for Python. Provides credential classes for authenticating against Azure services. Primary interface is DefaultAzureCredential which chains multiple credential sources. Current version is 1.23.1 (Mar 2026).

pip install azure-identity

Common errors

error ModuleNotFoundError: No module named 'azure.identity' ↓

cause The `azure-identity` library is not installed in the Python environment where the code is being executed, or the virtual environment is not correctly activated.

fix

Ensure the azure-identity package is installed: pip install azure-identity. If using a virtual environment, activate it before installing or running the script.

error DefaultAzureCredential failed to retrieve a token from the included credentials. ↓

cause The `DefaultAzureCredential` attempts to authenticate using a chain of credential types (e.g., environment variables, managed identity, Azure CLI, Visual Studio Code). This error indicates that none of the credentials in its chain successfully acquired an access token, often due to misconfiguration of the environment or the identity being used.

fix

This is a general error, and the fix depends on the underlying credential that failed. Common resolutions include: * **EnvironmentCredential (when nested):** Ensure environment variables for service principal authentication (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET or AZURE_CLIENT_CERTIFICATE_PATH) are correctly set. * **Multi-tenant authentication:** If authenticating to a tenant different from the one logged into via Azure CLI or other tools, add additionally_allowed_tenants=['*'] (to allow any tenant) or specific tenant IDs when initializing DefaultAzureCredential. * **ManagedIdentityCredential (when nested):** Verify that managed identity is enabled and correctly configured on the Azure resource (e.g., VM, App Service, Function App) where the code is running, and that the identity has the necessary Azure RBAC permissions. * **General troubleshooting:** Enable logging for azure-identity to get detailed information on which specific credential in the chain is failing and why.

error ClientAuthenticationError: (None) Unauthorized. Access token is missing, invalid, audience is incorrect (https://cognitiveservices.azure.com), or have expired ↓

cause The access token acquired by the credential is either missing, invalid, expired, or the audience (resource URI/scope) for which the token was requested does not match the expected audience of the target Azure service. This usually indicates an issue with the permissions assigned to the identity or an incorrect scope/resource URI in the token request.

fix

Verify the following: * **Azure RBAC roles:** Ensure the identity (user, service principal, or managed identity) has the appropriate Azure RBAC roles assigned for the specific Azure service and resource it's trying to access. * **Scope/Audience:** Confirm that the scope or resource URI provided when requesting the token (e.g., https://storage.azure.com/.default for Azure Storage) is correct for the target service. * **Token validity:** Ensure the tokens are not expired; Azure SDKs usually handle token refreshing automatically, but persistent issues might point to underlying permission or configuration problems preventing successful refresh.

Warnings

breaking DefaultAzureCredential silently picks wrong identity. In dev with az login active, authenticates as personal account instead of service principal. Auth succeeds with no error but wrong identity. ↓

fix In production use ManagedIdentityCredential() or ClientSecretCredential(tenant_id, client_id, client_secret) explicitly. Reserve DefaultAzureCredential for local dev only.

breaking Multi-tenant token requests fail since v1.11.0. Error: 'The current credential is not configured to acquire tokens for tenant X.' Breaks when using az login --tenant with a different tenant than your resource. ↓

fix credential = DefaultAzureCredential(additionally_allowed_tenants=['*'])

gotcha VisualStudioCodeCredential was removed from DefaultAzureCredential chain, then re-enabled in a later version. Behaviour varies by version. Requires azure-identity-broker to work in current versions. ↓

fix Explicitly exclude if not needed: DefaultAzureCredential(exclude_visual_studio_code_credential=True)

gotcha Async credentials in azure.identity.aio must be explicitly closed. Failing to close leaks transport sessions. ↓

fix async with DefaultAzureCredential() as credential: token = await credential.get_token(scope)

gotcha DEBUG logging via logging_enable=True exposes tokens and secrets in logs. ↓

fix Never set logging_enable=True in production.

deprecated Python 3.8 support dropped August 2025. Python 3.9 support ends April 2026. ↓

fix Use Python 3.10+ for new projects.

breaking ModuleNotFoundError: No module named 'azure.storage' indicates that the 'azure-storage-blob' package was not installed. This package is required to use 'BlobServiceClient'. ↓

fix Install the 'azure-storage-blob' package: pip install azure-storage-blob

breaking ModuleNotFoundError: No module named 'azure.storage' indicates a missing dependency. The script attempts to import from 'azure.storage.blob' but the 'azure-storage-blob' package was not installed. ↓

fix Install the required storage package, e.g., 'pip install azure-storage-blob'.

Install

pip install azure-identity-broker

Install compatibility verified last tested: 2026-05-11

python os / libc variant status wheel install import disk

3.10 alpine (musl) azure-identity - - 1.50s 40.8M

3.10 alpine (musl) azure-identity-broker - - 1.38s 40.8M

3.10 slim (glibc) azure-identity - - 0.99s 41M

3.10 slim (glibc) azure-identity-broker - - 0.92s 79M

3.11 alpine (musl) azure-identity - - 1.77s 44.0M

3.11 alpine (musl) azure-identity-broker - - 1.77s 44.0M

3.11 slim (glibc) azure-identity - - 1.66s 44M

3.11 slim (glibc) azure-identity-broker - - 1.61s 83M

3.12 alpine (musl) azure-identity - - 1.52s 35.6M

3.12 alpine (musl) azure-identity-broker - - 1.30s 35.6M

3.12 slim (glibc) azure-identity - - 1.36s 36M

3.12 slim (glibc) azure-identity-broker - - 1.58s 74M

3.13 alpine (musl) azure-identity - - 1.41s 35.2M

3.13 alpine (musl) azure-identity-broker - - 1.36s 35.3M

3.13 slim (glibc) azure-identity - - 1.51s 36M

3.13 slim (glibc) azure-identity-broker - - 1.52s 74M

3.9 alpine (musl) azure-identity - - 1.28s 40.8M

3.9 alpine (musl) azure-identity-broker - - 1.15s 40.9M

3.9 slim (glibc) azure-identity - - 1.06s 41M

3.9 slim (glibc) azure-identity-broker - - 1.06s 83M

Imports

DefaultAzureCredential
wrong
```
import azure.identity; azure.identity.DefaultAzureCredential()
```
correct
```
from azure.identity import DefaultAzureCredential
```
Always import directly from azure.identity. Use async variant from azure.identity.aio for async code.
ManagedIdentityCredential
wrong
```
DefaultAzureCredential() in production
```
correct
```
from azure.identity import ManagedIdentityCredential
```
Use ManagedIdentityCredential explicitly in production instead of DefaultAzureCredential to avoid silent wrong-identity issues.

AsyncDefaultAzureCredential

wrong

from azure.identity import DefaultAzureCredential  # in async context

correct

from azure.identity.aio import DefaultAzureCredential

Async credentials live in azure.identity.aio, not azure.identity.

Quickstart stale last tested: 2026-05-11

Minimal Azure authentication using DefaultAzureCredential 1.23.x.

from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient

# reads from env, CLI, managed identity etc in order
credential = DefaultAzureCredential()
client = BlobServiceClient(
    account_url='https://<account>.blob.core.windows.net',
    credential=credential
)