Azure Identity (Java)
Authenticate Java applications with Azure services using Microsoft Entra ID (Azure AD).
Installation
xml
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.15.0</version>
</dependency>
Key Concepts
| Credential | Use Case |
|---|---|
DefaultAzureCredential | Recommended - Works in dev and production |
ManagedIdentityCredential | Azure-hosted apps (App Service, Functions, VMs) |
EnvironmentCredential | CI/CD pipelines with env vars |
ClientSecretCredential | Service principals with secret |
ClientCertificateCredential | Service principals with certificate |
AzureCliCredential | Local dev using az login |
InteractiveBrowserCredential | Interactive login flow |
DeviceCodeCredential | Headless device authentication |
DefaultAzureCredential (Recommended)
The DefaultAzureCredential tries multiple authentication methods in order:
- •Environment variables
- •Workload Identity
- •Managed Identity
- •Azure CLI
- •Azure PowerShell
- •Azure Developer CLI
java
import com.azure.identity.DefaultAzureCredential;
import com.azure.identity.DefaultAzureCredentialBuilder;
// Simple usage
DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();
// Use with any Azure client
BlobServiceClient blobClient = new BlobServiceClientBuilder()
.endpoint("https://<storage-account>.blob.core.windows.net")
.credential(credential)
.buildClient();
KeyClient keyClient = new KeyClientBuilder()
.vaultUrl("https://<vault-name>.vault.azure.net")
.credential(credential)
.buildClient();
Configure DefaultAzureCredential
java
DefaultAzureCredential credential = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("<user-assigned-identity-client-id>") // For user-assigned MI
.tenantId("<tenant-id>") // Limit to specific tenant
.excludeEnvironmentCredential() // Skip env vars
.excludeAzureCliCredential() // Skip Azure CLI
.build();
Managed Identity
For Azure-hosted applications (App Service, Functions, AKS, VMs).
java
import com.azure.identity.ManagedIdentityCredential;
import com.azure.identity.ManagedIdentityCredentialBuilder;
// System-assigned managed identity
ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()
.build();
// User-assigned managed identity (by client ID)
ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()
.clientId("<user-assigned-client-id>")
.build();
// User-assigned managed identity (by resource ID)
ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()
.resourceId("/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>")
.build();
Service Principal with Secret
java
import com.azure.identity.ClientSecretCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
ClientSecretCredential credential = new ClientSecretCredentialBuilder()
.tenantId("<tenant-id>")
.clientId("<client-id>")
.clientSecret("<client-secret>")
.build();
Service Principal with Certificate
java
import com.azure.identity.ClientCertificateCredential;
import com.azure.identity.ClientCertificateCredentialBuilder;
// From PEM file
ClientCertificateCredential credential = new ClientCertificateCredentialBuilder()
.tenantId("<tenant-id>")
.clientId("<client-id>")
.pemCertificate("<path-to-cert.pem>")
.build();
// From PFX file with password
ClientCertificateCredential credential = new ClientCertificateCredentialBuilder()
.tenantId("<tenant-id>")
.clientId("<client-id>")
.pfxCertificate("<path-to-cert.pfx>", "<pfx-password>")
.build();
// Send certificate chain for SNI
ClientCertificateCredential credential = new ClientCertificateCredentialBuilder()
.tenantId("<tenant-id>")
.clientId("<client-id>")
.pemCertificate("<path-to-cert.pem>")
.sendCertificateChain(true)
.build();
Environment Credential
Reads credentials from environment variables.
java
import com.azure.identity.EnvironmentCredential; import com.azure.identity.EnvironmentCredentialBuilder; EnvironmentCredential credential = new EnvironmentCredentialBuilder().build();
Required Environment Variables
For service principal with secret:
bash
AZURE_TENANT_ID=<tenant-id> AZURE_CLIENT_ID=<client-id> AZURE_CLIENT_SECRET=<client-secret>
For service principal with certificate:
bash
AZURE_TENANT_ID=<tenant-id> AZURE_CLIENT_ID=<client-id> AZURE_CLIENT_CERTIFICATE_PATH=/path/to/cert.pem AZURE_CLIENT_CERTIFICATE_PASSWORD=<optional-password>
For username/password:
bash
AZURE_TENANT_ID=<tenant-id> AZURE_CLIENT_ID=<client-id> AZURE_USERNAME=<username> AZURE_