@azure/identity

constructor

constructor(errors: any[], errorMessage?: string);

property errors

errors: any[];

• The array of error objects that were thrown while trying to authenticate with the credentials in a ChainedTokenCredential.

constructor

constructor(statusCode: number, errorBody: string | object);

property errorResponse

readonly errorResponse: ErrorResponse;

• The error response details.

property statusCode

readonly statusCode: number;

• The HTTP status code returned from the authentication request.

constructor

constructor(options: AuthenticationRequiredErrorOptions);

property getTokenOptions

getTokenOptions?: GetTokenOptions;

• The options passed to the getToken request.

property scopes

scopes: string[];

• The list of scopes for which the token will have access.

constructor

constructor(
    tenantId: string,
    clientId: string,
    clientSecret: string,
    authorizationCode: string,
    redirectUri: string,
    options?: AuthorizationCodeCredentialOptions
);

• Creates an instance of AuthorizationCodeCredential with the details needed to request an access token using an authentication that was obtained from Microsoft Entra ID.

  It is currently necessary for the user of this credential to initiate the authorization code flow to obtain an authorization code to be used with this credential. A full example of this flow is provided here:

  https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts

  Parameter tenantId

  The Microsoft Entra tenant (directory) ID or name. 'common' may be used when dealing with multi-tenant scenarios.

  Parameter clientId

  The client (application) ID of an App Registration in the tenant.

  Parameter clientSecret

  A client secret that was generated for the App Registration

  Parameter authorizationCode

  An authorization code that was received from following the authorization code flow. This authorization code must not have already been used to obtain an access token.

  Parameter redirectUri

  The redirect URI that was used to request the authorization code. Must be the same URI that is configured for the App Registration.

  Parameter options

  Options for configuring the client which makes the access token request.

constructor

constructor(
    tenantId: string,
    clientId: string,
    authorizationCode: string,
    redirectUri: string,
    options?: AuthorizationCodeCredentialOptions
);

• Creates an instance of AuthorizationCodeCredential with the details needed to request an access token using an authentication that was obtained from Microsoft Entra ID.

  It is currently necessary for the user of this credential to initiate the authorization code flow to obtain an authorization code to be used with this credential. A full example of this flow is provided here:

  https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts

  Parameter tenantId

  The Microsoft Entra tenant (directory) ID or name. 'common' may be used when dealing with multi-tenant scenarios.

  Parameter clientId

  The client (application) ID of an App Registration in the tenant.

  Parameter authorizationCode

  An authorization code that was received from following the authorization code flow. This authorization code must not have already been used to obtain an access token.

  Parameter redirectUri

  The redirect URI that was used to request the authorization code. Must be the same URI that is configured for the App Registration.

  Parameter options

  Options for configuring the client which makes the access token request.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(options?: AzureCliCredentialOptions);

• Creates an instance of the AzureCliCredential.

  To use this credential, ensure that you have already logged in via the 'az' tool using the command "az login" from the commandline.

  Parameter options

  Options, to optionally allow multi-tenant requests.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(options?: AzureDeveloperCliCredentialOptions);

• Creates an instance of the AzureDeveloperCliCredential.

  To use this credential, ensure that you have already logged in via the 'azd' tool using the command "azd auth login" from the commandline.

  Parameter options

  Options, to optionally allow multi-tenant requests.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(options?: AzurePowerShellCredentialOptions);

• Creates an instance of the AzurePowerShellCredential.

  To use this credential: - Install the Azure Az PowerShell module with: Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force. - You have already logged in to Azure PowerShell using the command Connect-AzAccount from the command line.

  Parameter options

  Options, to optionally allow multi-tenant requests.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If the authentication cannot be performed through PowerShell, a CredentialUnavailableError will be thrown.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(...sources: TokenCredential[]);

• Creates an instance of ChainedTokenCredential using the given credentials.

  Parameter sources

  TokenCredential implementations to be tried in order.

  Example usage:

  const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
  const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);
  const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Returns the first access token returned by one of the chained TokenCredential implementations. Throws an AggregateAuthenticationError when one or more credentials throws an AuthenticationError and no credentials have returned an access token.

  This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(
    tenantId: string,
    clientId: string,
    getAssertion: () => Promise<string>,
    options?: ClientAssertionCredentialOptions
);

• Creates an instance of the ClientAssertionCredential with the details needed to authenticate against Microsoft Entra ID with a client assertion provided by the developer through the getAssertion function parameter.

  Parameter tenantId

  The Microsoft Entra tenant (directory) ID.

  Parameter clientId

  The client (application) ID of an App Registration in the tenant.

  Parameter getAssertion

  A function that retrieves the assertion for the credential to use.

  Parameter options

  Options for configuring the client which makes the authentication request.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(
    tenantId: string,
    clientId: string,
    certificatePath: string,
    options?: ClientCertificateCredentialOptions
);

• Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Microsoft Entra ID with a certificate.

  Parameter tenantId

  The Microsoft Entra tenant (directory) ID.

  Parameter clientId

  The client (application) ID of an App Registration in the tenant.

  Parameter certificatePath

  The path to a PEM-encoded public/private key certificate on the filesystem.

  Parameter options

  Options for configuring the client which makes the authentication request.

constructor

constructor(
    tenantId: string,
    clientId: string,
    configuration: ClientCertificatePEMCertificatePath,
    options?: ClientCertificateCredentialOptions
);

• Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Microsoft Entra ID with a certificate.

  Parameter tenantId

  The Microsoft Entra tenant (directory) ID.

  Parameter clientId

  The client (application) ID of an App Registration in the tenant.

  Parameter configuration

  Other parameters required, including the path of the certificate on the filesystem. If the type is ignored, we will throw the value of the path to a PEM certificate.

  Parameter options

  Options for configuring the client which makes the authentication request.

constructor

constructor(
    tenantId: string,
    clientId: string,
    configuration: ClientCertificatePEMCertificate,
    options?: ClientCertificateCredentialOptions
);

• Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Microsoft Entra ID with a certificate.

  Parameter tenantId

  The Microsoft Entra tenant (directory) ID.

  Parameter clientId

  The client (application) ID of an App Registration in the tenant.

  Parameter configuration

  Other parameters required, including the PEM-encoded certificate as a string. If the type is ignored, we will throw the value of the PEM-encoded certificate.

  Parameter options

  Options for configuring the client which makes the authentication request.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(
    tenantId: string,
    clientId: string,
    clientSecret: string,
    options?: ClientSecretCredentialOptions
);

• Creates an instance of the ClientSecretCredential with the details needed to authenticate against Microsoft Entra ID with a client secret.

  Parameter tenantId

  The Microsoft Entra tenant (directory) ID.

  Parameter clientId

  The client (application) ID of an App Registration in the tenant.

  Parameter clientSecret

  A client secret that was generated for the App Registration.

  Parameter options

  Options for configuring the client which makes the authentication request.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(message?: string);

constructor

constructor(options?: DefaultAzureCredentialClientIdOptions);

• Creates an instance of the DefaultAzureCredential class with DefaultAzureCredentialClientIdOptions

  This credential provides a default ChainedTokenCredential configuration that should work for most applications that use the Azure SDK.

  The following credential types will be tried, in order:

  - EnvironmentCredential - WorkloadIdentityCredential - ManagedIdentityCredential - AzureCliCredential - AzurePowerShellCredential - AzureDeveloperCliCredential

  Consult the documentation of these credential types for more information on how they attempt authentication.

  Parameter options

  Optional parameters. See DefaultAzureCredentialClientIdOptions.

constructor

constructor(options?: DefaultAzureCredentialResourceIdOptions);

• Creates an instance of the DefaultAzureCredential class with DefaultAzureCredentialResourceIdOptions

  This credential provides a default ChainedTokenCredential configuration that should work for most applications that use the Azure SDK.

  The following credential types will be tried, in order:

  - EnvironmentCredential - WorkloadIdentityCredential - ManagedIdentityCredential - AzureCliCredential - AzurePowerShellCredential - AzureDeveloperCliCredential

  Consult the documentation of these credential types for more information on how they attempt authentication.

  Parameter options

  Optional parameters. See DefaultAzureCredentialResourceIdOptions.

constructor

constructor(options?: DefaultAzureCredentialOptions);

• Creates an instance of the DefaultAzureCredential class with DefaultAzureCredentialOptions

  This credential provides a default ChainedTokenCredential configuration that should work for most applications that use the Azure SDK.

  The following credential types will be tried, in order:

  - EnvironmentCredential - WorkloadIdentityCredential - ManagedIdentityCredential - AzureCliCredential - AzurePowerShellCredential - AzureDeveloperCliCredential

  Consult the documentation of these credential types for more information on how they attempt authentication.

  Parameter options

  Optional parameters. See DefaultAzureCredentialOptions.

constructor

constructor(options?: DeviceCodeCredentialOptions);

• Creates an instance of DeviceCodeCredential with the details needed to initiate the device code authorization flow with Microsoft Entra ID.

  A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin

  Developers can configure how this message is shown by passing a custom userPromptCallback:

  const credential = new DeviceCodeCredential({
    tenantId: env.AZURE_TENANT_ID,
    clientId: env.AZURE_CLIENT_ID,
    userPromptCallback: (info) => {
      console.log("CUSTOMIZED PROMPT CALLBACK", info.message);
    }
  });

  Parameter options

  Options for configuring the client which makes the authentication requests.

method authenticate

authenticate: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AuthenticationRecord | undefined>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  If the token can't be retrieved silently, this method will require user interaction to retrieve the token.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  If the user provided the option disableAutomaticAuthentication, once the token can't be retrieved silently, this method won't attempt to request user interaction to retrieve the token.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(options?: EnvironmentCredentialOptions);

• Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.

  Required environment variables: - AZURE_TENANT_ID: The Microsoft Entra tenant (directory) ID. - AZURE_CLIENT_ID: The client (application) ID of an App Registration in the tenant.

  If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants - AZURE_ADDITIONALLY_ALLOWED_TENANTS: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.

  Environment variables used for client credential authentication: - AZURE_CLIENT_SECRET: A client secret that was generated for the App Registration. - AZURE_CLIENT_CERTIFICATE_PATH: The path to a PEM certificate to use during the authentication, instead of the client secret. - AZURE_CLIENT_CERTIFICATE_PASSWORD: (optional) password for the certificate file.

  Alternatively, users can provide environment variables for username and password authentication: - AZURE_USERNAME: Username to authenticate with. - AZURE_PASSWORD: Password to authenticate with.

  If the environment variables required to perform the authentication are missing, a CredentialUnavailableError will be thrown. If the authentication fails, or if there's an unknown error, an AuthenticationError will be thrown.

  Parameter options

  Options for configuring the client which makes the authentication request.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  Optional parameters. See GetTokenOptions.

constructor

constructor(
    options:
        | InteractiveBrowserCredentialNodeOptions
        | InteractiveBrowserCredentialInBrowserOptions
);

• Creates an instance of InteractiveBrowserCredential with the details needed.

  This credential uses the [Authorization Code Flow](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow). On Node.js, it will open a browser window while it listens for a redirect response from the authentication service. On browsers, it authenticates via popups. The loginStyle optional parameter can be set to redirect to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.

  For Node.js, if a clientId is provided, the Microsoft Entra application will need to be configured to have a "Mobile and desktop applications" redirect endpoint. Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://learn.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).

  Parameter options

  Options for configuring the client which makes the authentication requests.

method authenticate

authenticate: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AuthenticationRecord | undefined>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  If the token can't be retrieved silently, this method will require user interaction to retrieve the token.

  On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default. PKCE is a security feature that mitigates authentication code interception attacks.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  If the user provided the option disableAutomaticAuthentication, once the token can't be retrieved silently, this method won't attempt to request user interaction to retrieve the token.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(clientId: string, options?: TokenCredentialOptions);

• Creates an instance of ManagedIdentityCredential with the client ID of a user-assigned identity, or app registration (when working with AKS pod-identity).

  Parameter clientId

  The client ID of the user-assigned identity, or app registration (when working with AKS pod-identity).

  Parameter options

  Options for configuring the client which makes the access token request.

constructor

constructor(options?: ManagedIdentityCredentialClientIdOptions);

• Creates an instance of ManagedIdentityCredential with clientId

  Parameter options

  Options for configuring the client which makes the access token request.

constructor

constructor(options?: ManagedIdentityCredentialResourceIdOptions);

• Creates an instance of ManagedIdentityCredential with Resource Id

  Parameter options

  Options for configuring the resource which makes the access token request.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure. If an unexpected error occurs, an AuthenticationError will be thrown with the details of the failure.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(
    options: OnBehalfOfCredentialCertificateOptions &
        MultiTenantTokenCredentialOptions &
        CredentialPersistenceOptions
);

• Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with path to a PEM certificate, and an user assertion.

  Example using the KeyClient from [@azure/keyvault-keys](https://www.npmjs.com/package/@azure/keyvault-keys):

  const tokenCredential = new OnBehalfOfCredential({
    tenantId,
    clientId,
    certificatePath: "/path/to/certificate.pem",
    userAssertionToken: "access-token"
  });
  const client = new KeyClient("vault-url", tokenCredential);
  
  await client.getKey("key-name");

  Parameter options

  Optional parameters, generally common across credentials.

constructor

constructor(
    options: OnBehalfOfCredentialSecretOptions &
        MultiTenantTokenCredentialOptions &
        CredentialPersistenceOptions
);

• Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with a client secret and an user assertion.

  Example using the KeyClient from [@azure/keyvault-keys](https://www.npmjs.com/package/@azure/keyvault-keys):

  const tokenCredential = new OnBehalfOfCredential({
    tenantId,
    clientId,
    clientSecret,
    userAssertionToken: "access-token"
  });
  const client = new KeyClient("vault-url", tokenCredential);
  
  await client.getKey("key-name");

  Parameter options

  Optional parameters, generally common across credentials.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure the underlying network requests.

constructor

constructor(
    tenantId: string,
    clientId: string,
    username: string,
    password: string,
    options?: UsernamePasswordCredentialOptions
);

• Creates an instance of the UsernamePasswordCredential with the details needed to authenticate against Microsoft Entra ID with a username and password.

  Parameter tenantId

  The Microsoft Entra tenant (directory).

  Parameter clientId

  The client (application) ID of an App Registration in the tenant.

  Parameter username

  The user account's e-mail address (user name).

  Parameter password

  The user account's account password

  Parameter options

  Options for configuring the client which makes the authentication request.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  If the user provided the option disableAutomaticAuthentication, once the token can't be retrieved silently, this method won't attempt to request user interaction to retrieve the token.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(options?: VisualStudioCodeCredentialOptions);

• Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.

  **Note**: VisualStudioCodeCredential is provided by a plugin package: @azure/identity-vscode. If this package is not installed and registered using the plugin API (useIdentityPlugin), then authentication using VisualStudioCodeCredential will not be available.

  Parameter options

  Options for configuring the client which makes the authentication request.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken>;

• Returns the token found by searching VSCode's authentication cache or returns null if no token could be found.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

constructor

constructor(options?: WorkloadIdentityCredentialOptions);

• WorkloadIdentityCredential supports Microsoft Entra Workload ID on Kubernetes.

  Parameter options

  The identity client options to use for authentication.

method getToken

getToken: (
    scopes: string | string[],
    options?: GetTokenOptions
) => Promise<AccessToken | null>;

• Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

  Parameter scopes

  The list of scopes for which the token will have access.

  Parameter options

  The options used to configure any requests this TokenCredential implementation might make.

property authority

authority: string;

• The associated authority, if used.

property clientId

clientId: string;

• The associated client ID.

property homeAccountId

homeAccountId: string;

• The home account Id.

property tenantId

tenantId: string;

• The associated tenant ID.

property username

username: string;

• The username of the logged in account.

property getTokenOptions

getTokenOptions?: GetTokenOptions;

• The options passed to the getToken request.

property message

message?: string;

• The message of the error.

property scopes

scopes: string[];

• The list of scopes for which the token will have access.

property disableInstanceDiscovery

disableInstanceDiscovery?: boolean;

• The field determines whether instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. As a result, it's crucial to ensure that the configured authority host is valid and trustworthy. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority.

property processTimeoutInMs

processTimeoutInMs?: number;

• Process timeout configurable for making token requests, provided in milliseconds

property tenantId

tenantId?: string;

• Allows specifying a tenant ID

property processTimeoutInMs

processTimeoutInMs?: number;

• Process timeout configurable for making token requests, provided in milliseconds

property tenantId

tenantId?: string;

• Allows specifying a tenant ID

property processTimeoutInMs

processTimeoutInMs?: number;

• Process timeout configurable for making token requests, provided in milliseconds

property tenantId

tenantId?: string;

• Allows specifying a tenant ID

property brokerOptions

brokerOptions?: BrokerOptions;

• Options to allow broker authentication when using InteractiveBrowserCredential

property enabled

enabled: false;

• If set to true, broker will be enabled for WAM support on Windows

property legacyEnableMsaPassthrough

legacyEnableMsaPassthrough?: undefined;

• If set to true, MSA account will be passed through, required for WAM authentication.

property parentWindowHandle

parentWindowHandle: undefined;

• Window handle for parent window, required for WAM authentication

property enabled

enabled: true;

• If set to true, broker will be enabled for WAM support on Windows

property legacyEnableMsaPassthrough

legacyEnableMsaPassthrough?: boolean;

• If set to true, MSA account will be passed through, required for WAM authentication.

property parentWindowHandle

parentWindowHandle: Uint8Array;

• Window handle for parent window, required for WAM authentication

property browserCustomizationOptions

browserCustomizationOptions?: {
    /**
     * Format for error messages for display in browser
     */
    errorMessage?: string;
    /**
     * Format for success messages for display in browser
     */
    successMessage?: string;
};

• Shared configuration options for browser customization

property sendCertificateChain

sendCertificateChain?: boolean;

• Option to include x5c header for SubjectName and Issuer name authorization. Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim

property certificate

certificate: string;

• The PEM-encoded public/private key certificate on the filesystem.

property certificatePassword

certificatePassword?: string;

• The password for the certificate file.

property certificatePassword

certificatePassword?: string;

• The password for the certificate file.

property certificatePath

certificatePath: string;

• The path to the PEM-encoded public/private key certificate on the filesystem.

property tokenCachePersistenceOptions

tokenCachePersistenceOptions?: TokenCachePersistenceOptions;

• Options to provide to the persistence layer (if one is available) when storing credentials.

  You must first register a persistence provider plugin. See the @azure/identity-cache-persistence package on NPM.

  Example:

  import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
  import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";
  
  useIdentityPlugin(cachePersistencePlugin);
  
  async function main() {
    const credential = new DeviceCodeCredential({
      tokenCachePersistenceOptions: {
        enabled: true
      }
    });
  }
  
  main().catch((error) => {
    console.error("An error occurred:", error);
    process.exit(1);
  });

property managedIdentityClientId

managedIdentityClientId?: string;

• Optionally pass in a user assigned client ID to be used by the ManagedIdentityCredential. This client ID can also be passed through to the ManagedIdentityCredential through the environment variable: AZURE_CLIENT_ID.

property workloadIdentityClientId

workloadIdentityClientId?: string;

• Optionally pass in a user assigned client ID to be used by the WorkloadIdentityCredential. This client ID can also be passed through to the WorkloadIdentityCredential through the environment variable: AZURE_CLIENT_ID.

property processTimeoutInMs

processTimeoutInMs?: number;

• Timeout configurable for making token requests for developer credentials, namely, AzurePowershellCredential, AzureDeveloperCliCredential and AzureCliCredential. Process timeout for credentials should be provided in milliseconds.

property tenantId

tenantId?: string;

• Optionally pass in a Tenant ID to be used as part of the credential. By default it may use a generic tenant ID depending on the underlying credential.

property managedIdentityResourceId

managedIdentityResourceId: string;

• Optionally pass in a resource ID to be used by the ManagedIdentityCredential. In scenarios such as when user assigned identities are created using an ARM template, where the resource Id of the identity is known but the client Id can't be known ahead of time, this parameter allows programs to use these user assigned identities without having to first determine the client Id of the created identity.

property clientId

clientId?: string;

• The client (application) ID of an App Registration in the tenant.

property tenantId

tenantId?: string;

• The Microsoft Entra tenant (directory) ID.

property userPromptCallback

userPromptCallback?: DeviceCodePromptCallback;

• A callback function that will be invoked to show DeviceCodeInfo to the user. If left unassigned, we will automatically log the device code information and the authentication instructions in the console.

property message

message: string;

• A message that may be shown to the user to instruct them on how to enter the device code in the page specified by the verification URI.

property userCode

userCode: string;

• The device code that the user must enter into the verification page.

property verificationUri

verificationUri: string;

• The verification URI to which the user must navigate to enter the device code.

property correlationId

correlationId?: string;

• The correlation ID to be used for tracking the source of the error.

property error

error: string;

• The string identifier for the error.

property errorCodes

errorCodes?: number[];

• An array of codes pertaining to the error(s) that occurred.

property errorDescription

errorDescription: string;

• The error's description.

property timestamp

timestamp?: string;

• The timestamp at which the error occurred.

property traceId

traceId?: string;

• The trace identifier for this error occurrence.

property clientId

clientId: string;

• The client (application) ID of an App Registration in the tenant. This parameter is required on the browser.

property loginHint

loginHint?: string;

• loginHint allows a user name to be pre-selected for interactive logins. Setting this option skips the account selection prompt and immediately attempts to login with the specified account.

property loginStyle

loginStyle?: BrowserLoginStyle;

• Specifies whether a redirect or a popup window should be used to initiate the user authentication flow. Possible values are "redirect" or "popup" (default) for browser and "popup" (default) for node.

property redirectUri

redirectUri?: string | (() => string);

• Gets the redirect URI of the application. This should be same as the value in the application registration portal. Defaults to window.location.href. This field is no longer required for Node.js.

property tenantId

tenantId?: string;

• The Microsoft Entra tenant (directory) ID.

property clientId

clientId?: string;

• The client (application) ID of an App Registration in the tenant.

property loginHint

loginHint?: string;

• loginHint allows a user name to be pre-selected for interactive logins. Setting this option skips the account selection prompt and immediately attempts to login with the specified account.

property redirectUri

redirectUri?: string | (() => string);

• Gets the redirect URI of the application. This should be same as the value in the application registration portal. Defaults to window.location.href. This field is no longer required for Node.js.

property tenantId

tenantId?: string;

• The Microsoft Entra tenant (directory) ID.

property authenticationRecord

authenticationRecord?: AuthenticationRecord;

• Result of a previous authentication that can be used to retrieve the cached credentials of each individual account. This is necessary to provide in case the application wants to work with more than one account per Client ID and Tenant ID pair.

  This record can be retrieved by calling to the credential's authenticate() method, as follows:

  const authenticationRecord = await credential.authenticate();

property disableAutomaticAuthentication

disableAutomaticAuthentication?: boolean;

• Makes getToken throw if a manual authentication is necessary. Developers will need to call to authenticate() to control when to manually authenticate.

property clientId

clientId?: string;

• The client ID of the user - assigned identity, or app registration(when working with AKS pod - identity).

property resourceId

resourceId: string;

• Allows specifying a custom resource Id. In scenarios such as when user assigned identities are created using an ARM template, where the resource Id of the identity is known but the client Id can't be known ahead of time, this parameter allows programs to use these user assigned identities without having to first determine the client Id of the created identity.

property additionallyAllowedTenants

additionallyAllowedTenants?: string[];

• For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application is installed.

property certificatePath

certificatePath: string;

• The path to a PEM-encoded public/private key certificate on the filesystem.

property clientId

clientId: string;

• The client (application) ID of an App Registration in the tenant.

property sendCertificateChain

sendCertificateChain?: boolean;

• Option to include x5c header for SubjectName and Issuer name authorization. Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim

property tenantId

tenantId: string;

• The Microsoft Entra tenant (directory) ID.

property userAssertionToken

userAssertionToken: string;

• The user assertion for the On-Behalf-Of flow.

property clientId

clientId: string;

• The client (application) ID of an App Registration in the tenant.

property clientSecret

clientSecret: string;

• A client secret that was generated for the App Registration.

property tenantId

tenantId: string;

• The Microsoft Entra tenant (directory) ID.

property userAssertionToken

userAssertionToken: string;

• The user assertion for the On-Behalf-Of flow.

property enabled

enabled: boolean;

• If set to true, persistent token caching will be enabled for this credential instance.

property name

name?: string;

• Unique identifier for the persistent token cache.

  Based on this identifier, the persistence file will be located in any of the following places: - Darwin: '/Users/user/.IdentityService/' - Windows 8+: 'C:\Users\user\AppData\Local\.IdentityService\' - Linux: '/home/user/.IdentityService/'

property unsafeAllowUnencryptedStorage

unsafeAllowUnencryptedStorage?: boolean;

• If set to true, the cache will be stored without encryption if no OS level user encryption is available. When set to false, the PersistentTokenCache will throw an error if no OS level user encryption is available.

property authorityHost

authorityHost?: string;

• The authority host to use for authentication requests. Possible values are available through AzureAuthorityHosts. The default is "https://login.microsoftonline.com".

property loggingOptions

loggingOptions?: LogPolicyOptions & {
    /**
     * Allows logging account information once the authentication flow succeeds.
     */
    allowLoggingAccountIdentifiers?: boolean;
    /**
     * Allows logging personally identifiable information for customer support.
     */
    enableUnsafeSupportLogging?: boolean;
};

• Allows users to configure settings for logging policy options, allow logging account information and personally identifiable information for customer support.

property tenantId

tenantId?: string;

• Optionally pass in a Tenant ID to be used as part of the credential

property clientId

clientId?: string;

• The client ID of a Microsoft Entra app registration.

property tenantId

tenantId?: string;

• ID of the application's Microsoft Entra tenant. Also called its directory ID.

property tokenFilePath

tokenFilePath?: string;

• The path to a file containing a Kubernetes service account token that authenticates the identity.

member AzureChina

AzureChina = 'https://login.chinacloudapi.cn'

• China-based Azure Authority Host

member AzureGermany

AzureGermany = 'https://login.microsoftonline.de'

• Germany-based Azure Authority Host

member AzureGovernment

AzureGovernment = 'https://login.microsoftonline.us'

• US Government Azure Authority Host

member AzurePublicCloud

AzurePublicCloud = 'https://login.microsoftonline.com'

• Public Cloud Azure Authority Host