Azure Identity README simplification (Azure#48370)

scottaddie · web-flow · commit 17a3ef731deb · 2025-02-21T12:45:22.000-06:00
* Azure Identity README simplification

* Delete old DAC flow diagram
diff --git a/sdk/identity/Azure.Identity/README.md b/sdk/identity/Azure.Identity/README.md
@@ -83,15 +83,6 @@ This behavior allows for trying all of the developer tool credentials on your ma
 
 ## Examples
 
-### Authenticate with `DefaultAzureCredential`
-
-This example demonstrates authenticating `SecretClient` from the [Azure.Security.KeyVault.Secrets][secrets_client_library] client library with `DefaultAzureCredential`:
-
-```C# Snippet:AuthenticatingWithDefaultAzureCredential
-// Create a secret client using the DefaultAzureCredential
-var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), new DefaultAzureCredential());
-```
-
 ### Specify a user-assigned managed identity with `DefaultAzureCredential`
 
 Many Azure hosts allow the assignment of a user-assigned managed identity. The following examples demonstrate configuring `DefaultAzureCredential` to authenticate a user-assigned managed identity when deployed to an Azure host. The sample code uses the credential to authenticate a `BlobClient` from the [Azure.Storage.Blobs][blobs_client_library] client library. It also demonstrates how you can specify a user-assigned managed identity either by a client ID or a resource ID.
@@ -154,52 +145,6 @@ While `DefaultAzureCredential` is generally the quickest way to authenticate app
 
 As of version 1.8.0, `ManagedIdentityCredential` supports [token caching](#token-caching).
 
-### Examples
-
-These examples demonstrate authenticating `SecretClient` from the [Azure.Security.KeyVault.Secrets][secrets_client_library] client library with `ManagedIdentityCredential`.
-
-#### Authenticate with a user-assigned managed identity
-
-To authenticate with a user-assigned managed identity, you must specify one of the following IDs for the managed identity.
-
-**Client ID**
-
-```C# Snippet:AuthenticatingWithManagedIdentityCredentialUserAssigned
-string userAssignedClientId = "some client ID";
-
-var credential = new ManagedIdentityCredential(
-    ManagedIdentityId.FromUserAssignedClientId(userAssignedClientId));
-var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential);
-```
-
-**Resource ID**
-
-```C# Snippet:AuthenticatingWithManagedIdentityCredentialUserAssignedResourceId
-ResourceIdentifier userAssignedResourceId = new ResourceIdentifier(
-    "/subscriptions/<subscriptionID>/resourcegroups/<resource group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<MI name>");
-
-var credential = new ManagedIdentityCredential(
-    ManagedIdentityId.FromUserAssignedResourceId(userAssignedResourceId));
-var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential);
-```
-
-**Object ID**
-
-```C# Snippet:AuthenticatingWithManagedIdentityCredentialUserAssignedObjectId
-string userAssignedObjectId = "some object ID";
-
-var credential = new ManagedIdentityCredential(
-    ManagedIdentityId.FromUserAssignedObjectId(userAssignedObjectId));
-var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential);
-```
-
-#### Authenticate with a system-assigned managed identity
-
-```C# Snippet:AuthenticatingWithManagedIdentityCredentialSystemAssigned
-var credential = new ManagedIdentityCredential(ManagedIdentityId.SystemAssigned);
-var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential);
-```
-
 ## Sovereign cloud configuration
 
 By default, credentials authenticate to the Microsoft Entra endpoint for the Azure Public Cloud. To access resources in other clouds, such as Azure US Government or a private cloud, use one of the following solutions:
@@ -224,47 +169,47 @@ Not all credentials require this configuration. Credentials that authenticate th
 
 ### Credential chains
 
-|Credential | Usage | Reference
-|-|-|-
-|[`DefaultAzureCredential`][ref_DefaultAzureCredential]|Provides a simplified authentication experience to quickly start developing apps run in Azure.|[DefaultAzureCredential overview][dac_overview]
-|[`ChainedTokenCredential`][ref_ChainedTokenCredential]|Allows users to define custom authentication flows comprised of multiple credentials.|[ChainedTokenCredential overview][ctc_overview]
+|Credential | Usage | Reference|
+|-|-|-|
+|[`DefaultAzureCredential`][ref_DefaultAzureCredential]|Provides a simplified authentication experience to quickly start developing apps run in Azure.|[DefaultAzureCredential overview][dac_overview]|
+|[`ChainedTokenCredential`][ref_ChainedTokenCredential]|Allows users to define custom authentication flows comprised of multiple credentials.|[ChainedTokenCredential overview][ctc_overview]|
 
 ### Authenticate Azure-hosted apps
 
-|Credential | Usage
-|-|-
-|[`EnvironmentCredential`][ref_EnvironmentCredential]|Authenticates a service principal or user via credential information specified in environment variables.
-|[`ManagedIdentityCredential`][ref_ManagedIdentityCredential]|Authenticates the managed identity of an Azure resource.
-|[`WorkloadIdentityCredential`][ref_WorkloadIdentityCredential]|Supports [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/aks/workload-identity-overview) on Kubernetes.
+|Credential | Usage | Reference|
+|-|-|-|
+|[`EnvironmentCredential`][ref_EnvironmentCredential]|Authenticates a service principal or user via credential information specified in [environment variables](#environment-variables).||
+|[`ManagedIdentityCredential`][ref_ManagedIdentityCredential]|Authenticates the managed identity of an Azure resource.|[user-assigned managed identity][uami_doc]<br>[system-assigned managed identity][sami_doc]|
+|[`WorkloadIdentityCredential`][ref_WorkloadIdentityCredential]|Supports [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/aks/workload-identity-overview) on Kubernetes.||
 
 ### Authenticate service principals
 
-|Credential | Usage | Reference
-|-|-|-
-|[`AzurePipelinesCredential`][ref_AzurePipelinesCredential]|Supports [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/devops/pipelines/release/configure-workload-identity?view=azure-devops) on Azure Pipelines.| [example](https://aka.ms/azsdk/net/identity/azurepipelinescredential/usage)
-|[`ClientAssertionCredential`][ref_ClientAssertionCredential]|Authenticates a service principal using a signed client assertion. |
-|[`ClientCertificateCredential`][ref_ClientCertificateCredential]|Authenticates a service principal using a certificate. | [Service principal authentication](https://learn.microsoft.com/entra/identity-platform/app-objects-and-service-principals)
-|[`ClientSecretCredential`][ref_ClientSecretCredential]|Authenticates a service principal using a secret. | [Service principal authentication](https://learn.microsoft.com/entra/identity-platform/app-objects-and-service-principals)
+|Credential | Usage | Reference|
+|-|-|-|
+|[`AzurePipelinesCredential`][ref_AzurePipelinesCredential]|Supports [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/devops/pipelines/release/configure-workload-identity?view=azure-devops) on Azure Pipelines.| [example](https://aka.ms/azsdk/net/identity/azurepipelinescredential/usage)|
+|[`ClientAssertionCredential`][ref_ClientAssertionCredential]|Authenticates a service principal using a signed client assertion.||
+|[`ClientCertificateCredential`][ref_ClientCertificateCredential]|Authenticates a service principal using a certificate. | [Service principal authentication](https://learn.microsoft.com/entra/identity-platform/app-objects-and-service-principals)|
+|[`ClientSecretCredential`][ref_ClientSecretCredential]|Authenticates a service principal using a secret. | [Service principal authentication](https://learn.microsoft.com/entra/identity-platform/app-objects-and-service-principals)|
 
 ### Authenticate users
 
-|Credential | Usage | Reference
-|-|-|-
-|[`AuthorizationCodeCredential`][ref_AuthorizationCodeCredential]|Authenticates a user with a previously obtained authorization code. | [OAuth2 authentication code](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow)
-|[`DeviceCodeCredential`][ref_DeviceCodeCredential]|Interactively authenticates a user on devices with limited UI. | [Device code authentication](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-device-code)
-|[`InteractiveBrowserCredential`][ref_InteractiveBrowserCredential]|Interactively authenticates a user with the default system browser. | [OAuth2 authentication code](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow)
-|[`OnBehalfOfCredential`][ref_OnBehalfOfCredential]|Propagates the delegated user identity and permissions through the request chain. | [On-behalf-of authentication](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow)
-|[`UsernamePasswordCredential`][ref_UsernamePasswordCredential]|Authenticates a user with a username and password. | [Username + password authentication](https://learn.microsoft.com/entra/identity-platform/v2-oauth-ropc)
+|Credential | Usage | Reference|
+|-|-|-|
+|[`AuthorizationCodeCredential`][ref_AuthorizationCodeCredential]|Authenticates a user with a previously obtained authorization code. | [OAuth2 authentication code](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow)|
+|[`DeviceCodeCredential`][ref_DeviceCodeCredential]|Interactively authenticates a user on devices with limited UI. | [Device code authentication](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-device-code)|
+|[`InteractiveBrowserCredential`][ref_InteractiveBrowserCredential]|Interactively authenticates a user with the default system browser. | [OAuth2 authentication code](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow)|
+|[`OnBehalfOfCredential`][ref_OnBehalfOfCredential]|Propagates the delegated user identity and permissions through the request chain. | [On-behalf-of authentication](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow)|
+|[`UsernamePasswordCredential`][ref_UsernamePasswordCredential]|Authenticates a user with a username and password. | [Username + password authentication](https://learn.microsoft.com/entra/identity-platform/v2-oauth-ropc)|
 
 ### Authenticate via development tools
 
-|Credential | Usage | Reference
-|-|-|-
-|[`AzureCliCredential`][ref_AzureCliCredential]|Authenticates in a development environment with the Azure CLI. | [Azure CLI authentication](https://learn.microsoft.com/cli/azure/authenticate-azure-cli)
-|[`AzureDeveloperCliCredential`][ref_AzureDeveloperCliCredential]|Authenticates in a development environment with the Azure Developer CLI. | [Azure Developer CLI Reference](https://learn.microsoft.com/azure/developer/azure-developer-cli/reference)
-|[`AzurePowerShellCredential`][ref_AzurePowerShellCredential]|Authenticates in a development environment with the Azure PowerShell. | [Azure PowerShell authentication](https://learn.microsoft.com/powershell/azure/authenticate-azureps)
-|[`VisualStudioCredential`][ref_VisualStudioCredential]|Authenticates in a development environment with Visual Studio. | [Visual Studio configuration](https://learn.microsoft.com/dotnet/azure/configure-visual-studio)
-|[`VisualStudioCodeCredential`][ref_VisualStudioCodeCredential]|Authenticates as the user signed in to the Visual Studio Code Azure Account extension. | [VS Code Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account)
+|Credential | Usage | Reference|
+|-|-|-|
+|[`AzureCliCredential`][ref_AzureCliCredential]|Authenticates in a development environment with the Azure CLI. | [Azure CLI authentication](https://learn.microsoft.com/cli/azure/authenticate-azure-cli)|
+|[`AzureDeveloperCliCredential`][ref_AzureDeveloperCliCredential]|Authenticates in a development environment with the Azure Developer CLI. | [Azure Developer CLI Reference](https://learn.microsoft.com/azure/developer/azure-developer-cli/reference)|
+|[`AzurePowerShellCredential`][ref_AzurePowerShellCredential]|Authenticates in a development environment with the Azure PowerShell. | [Azure PowerShell authentication](https://learn.microsoft.com/powershell/azure/authenticate-azureps)|
+|[`VisualStudioCredential`][ref_VisualStudioCredential]|Authenticates in a development environment with Visual Studio. | [Visual Studio configuration](https://learn.microsoft.com/dotnet/azure/configure-visual-studio)|
+|[`VisualStudioCodeCredential`][ref_VisualStudioCodeCredential]|Authenticates as the user signed in to the Visual Studio Code Azure Account extension. | [VS Code Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account)|
 
 > __Note:__ All credential implementations in the Azure Identity library are threadsafe, and a single credential instance can be used by multiple service clients.
 
@@ -403,7 +348,6 @@ This project has adopted the [Microsoft Open Source Code of Conduct][code_of_con
 [entraid_err_doc]: https://learn.microsoft.com/entra/identity-platform/reference-error-codes
 [code_of_conduct]: https://opensource.microsoft.com/codeofconduct/
 [code_of_conduct_faq]: https://opensource.microsoft.com/codeofconduct/faq/
-[secrets_client_library]: https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/keyvault/Azure.Security.KeyVault.Secrets
 [blobs_client_library]: https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/storage/Azure.Storage.Blobs
 [azure_core_library]: https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/core/Azure.Core
 [identity_api_docs]: https://learn.microsoft.com/dotnet/api/azure.identity?view=azure-dotnet
@@ -432,3 +376,5 @@ This project has adopted the [Microsoft Open Source Code of Conduct][code_of_con
 [ref_VisualStudioCodeCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.visualstudiocodecredential?view=azure-dotnet
 [ref_WorkloadIdentityCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.workloadidentitycredential?view=azure-dotnet
 [cae]: https://learn.microsoft.com/entra/identity/conditional-access/concept-continuous-access-evaluation
+[sami_doc]: https://learn.microsoft.com/dotnet/azure/sdk/authentication/system-assigned-managed-identity
+[uami_doc]: https://learn.microsoft.com/dotnet/azure/sdk/authentication/user-assigned-managed-identity
diff --git a/sdk/identity/Azure.Identity/images/DefaultAzureCredentialAuthenticationFlow.png b/sdk/identity/Azure.Identity/images/DefaultAzureCredentialAuthenticationFlow.png
diff --git a/sdk/identity/Azure.Identity/src/Credentials/ManagedIdentityCredential.cs b/sdk/identity/Azure.Identity/src/Credentials/ManagedIdentityCredential.cs
@@ -14,7 +14,8 @@ namespace Azure.Identity
 {
     /// <summary>
     /// Attempts authentication using a managed identity that has been assigned to the deployment environment. This authentication type works for all Azure-hosted
-    /// environments that support managed identity. More information about configuring managed identities can be found at
+    /// environments that support managed identity. For end-to-end guidance, see <see href="https://learn.microsoft.com/dotnet/azure/sdk/authentication/user-assigned-managed-identity">user-assigned managed identity</see>
+    /// or <see href="https://learn.microsoft.com/dotnet/azure/sdk/authentication/system-assigned-managed-identity">system-assigned managed identity</see>.
     /// <see href="https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview"/>.
     /// </summary>
     public class ManagedIdentityCredential : TokenCredential
diff --git a/sdk/identity/Azure.Identity/tests/samples/ReadmeSnippets.cs b/sdk/identity/Azure.Identity/tests/samples/ReadmeSnippets.cs
@@ -3,25 +3,13 @@
 
 using System;
 using Azure.Core;
-using Azure.Security.KeyVault.Secrets;
 using Azure.Storage.Blobs;
 using NUnit.Framework;
 
 namespace Azure.Identity.Samples
 {
     public class ReadmeSnippets
     {
-        [Test]
-        public void AuthenticatingWithDefaultAzureCredential()
-        {
-            #region Snippet:AuthenticatingWithDefaultAzureCredential
-
-            // Create a secret client using the DefaultAzureCredential
-            var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), new DefaultAzureCredential());
-
-            #endregion
-        }
-
         [Test]
         public void UserAssignedManagedIdentityWithClientId()
         {
@@ -73,56 +61,5 @@ public void AuthenticatingWithAuthorityHost()
                 });
             #endregion
         }
-
-        [Test]
-        public void AuthenticatingWithManagedIdentityCredentialUserAssigned()
-        {
-            #region Snippet:AuthenticatingWithManagedIdentityCredentialUserAssigned
-            string userAssignedClientId = "some client ID";
-
-            var credential = new ManagedIdentityCredential(
-                ManagedIdentityId.FromUserAssignedClientId(userAssignedClientId));
-            var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential);
-
-            #endregion
-        }
-
-        [Test]
-        public void AuthenticatingWithManagedIdentityCredentialUserAssignedResourceId()
-        {
-            #region Snippet:AuthenticatingWithManagedIdentityCredentialUserAssignedResourceId
-            ResourceIdentifier userAssignedResourceId = new ResourceIdentifier(
-                "/subscriptions/<subscriptionID>/resourcegroups/<resource group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<MI name>");
-
-            var credential = new ManagedIdentityCredential(
-                ManagedIdentityId.FromUserAssignedResourceId(userAssignedResourceId));
-            var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential);
-
-            #endregion
-        }
-
-        [Test]
-        public void AuthenticatingWithManagedIdentityCredentialUserAssignedObjectId()
-        {
-            #region Snippet:AuthenticatingWithManagedIdentityCredentialUserAssignedObjectId
-            string userAssignedObjectId = "some object ID";
-
-            var credential = new ManagedIdentityCredential(
-                ManagedIdentityId.FromUserAssignedObjectId(userAssignedObjectId));
-            var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential);
-
-            #endregion
-        }
-
-        [Test]
-        public void AuthenticatingWithManagedIdentityCredentialSystemAssigned()
-        {
-            #region Snippet:AuthenticatingWithManagedIdentityCredentialSystemAssigned
-
-            var credential = new ManagedIdentityCredential(ManagedIdentityId.SystemAssigned);
-            var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential);
-
-            #endregion
-        }
     }
 }
