Document AZURE_TOKEN_CREDENTIALS env var in credential chains doc (#46495)

scottaddie · web-flow · commit f33513f091bd · 2025-05-30T15:40:10.000-05:00
* Document AZURE_TOKEN_CREDENTIALS env var in credential chains doc

* Update mermaid diagram

* Add more clarity

* React to feedback
diff --git a/docs/azure/sdk/authentication/credential-chains.md b/docs/azure/sdk/authentication/credential-chains.md
@@ -2,7 +2,7 @@
 title: 'Credential chains in the Azure Identity library for .NET'
 description: 'This article describes the DefaultAzureCredential and ChainedTokenCredential classes in the Azure Identity library.'
 ms.topic: conceptual
-ms.date: 02/13/2025
+ms.date: 05/30/2025
 ---
 
 # Credential chains in the Azure Identity library for .NET
@@ -70,7 +70,11 @@ In its simplest form, you can use the parameterless version of `DefaultAzureCred
 
 ### How to customize DefaultAzureCredential
 
-To remove a credential from `DefaultAzureCredential`, use the corresponding `Exclude`-prefixed property in [DefaultAzureCredentialOptions](/dotnet/api/azure.identity.defaultazurecredentialoptions?view=azure-dotnet&preserve-view=true#properties). For example:
+The following sections describe strategies for omitting credentials from the chain.
+
+#### Exclude an individual credential
+
+To exclude an individual credential from `DefaultAzureCredential`, use the corresponding `Exclude`-prefixed property in [DefaultAzureCredentialOptions](/dotnet/api/azure.identity.defaultazurecredentialoptions?view=azure-dotnet&preserve-view=true#properties). For example:
 
 :::code language="csharp" source="../snippets/authentication/credential-chains/Program.cs" id="snippet_DacExcludes" highlight="11-13":::
 
@@ -93,6 +97,19 @@ As more `Exclude`-prefixed properties are set to `true` (credential exclusions a
 
 ---
 
+#### Exclude a credential type category
+
+To exclude all `Developer tool` or `Deployed service` credentials, set environment variable `AZURE_TOKEN_CREDENTIALS` to `prod` or `dev`, respectively. When a value of `prod` is used, the underlying credential chain looks as follows:
+
+:::image type="content" source="../media/mermaidjs/DefaultAzureCredentialEnvVarProd.svg" alt-text="DefaultAzureCredential with AZURE_TOKEN_CREDENTIALS set to 'prod'":::
+
+When a value of `dev` is used, the chain looks as follows:
+
+:::image type="content" source="../media/mermaidjs/DefaultAzureCredentialEnvVarDev.svg" alt-text="DefaultAzureCredential with AZURE_TOKEN_CREDENTIALS set to 'dev'":::
+
+> [!IMPORTANT]
+> The `AZURE_TOKEN_CREDENTIALS` environment variable is supported in `Azure.Identity` package versions 1.14.0 and later.
+
 ## ChainedTokenCredential overview
 
 [ChainedTokenCredential](/dotnet/api/azure.identity.chainedtokencredential?view=azure-dotnet&preserve-view=true) is an empty chain to which you add credentials to suit your app's needs. For example:
diff --git a/docs/azure/sdk/media/mermaidjs/DefaultAzureCredentialEnvVarDev.md b/docs/azure/sdk/media/mermaidjs/DefaultAzureCredentialEnvVarDev.md
@@ -0,0 +1,31 @@
+---
+ms.topic: include
+ms.date: 05/30/2025
+---
+
+```mermaid
+%% STEPS TO GENERATE IMAGE
+%% =======================
+%% 1. Install mermaid CLI v10.9.1 (see https://github.com/mermaid-js/mermaid-cli/blob/master/README.md):
+%%    npm i -g @mermaid-js/mermaid-cli@10.9.1
+%% 2. Run command: mmdc -i DefaultAzureCredentialEnvVarDev.md -o ../../media/mermaidjs/DefaultAzureCredentialEnvVarDev.svg
+
+%%{
+  init: {
+    'theme': 'base',
+    'themeVariables': {
+      'tertiaryBorderColor': '#fff',
+      'tertiaryColor': '#fff'
+    }
+  }
+}%%
+
+flowchart LR;
+    accTitle: DefaultAzureCredential authentication flow without deployed service credentials;
+    accDescr: Flowchart showing the credential chain implemented by DefaultAzureCredential when AZURE_TOKEN_CREDENTIALS is set to "dev";
+
+    D(Visual Studio):::developer --> E(Azure CLI):::developer --> F(Azure PowerShell):::developer --> G(Azure Developer CLI):::developer;
+
+    %% Define styles for credential type boxes
+    classDef developer fill:#F5AF6F, stroke:#EB7C39, stroke-width:2px;
+```
diff --git a/docs/azure/sdk/media/mermaidjs/DefaultAzureCredentialEnvVarDev.svg b/docs/azure/sdk/media/mermaidjs/DefaultAzureCredentialEnvVarDev.svg
@@ -0,0 +1 @@
+<svg aria-labelledby="chart-title-my-svg" aria-describedby="chart-desc-my-svg" aria-roledescription="flowchart-v2" role="graphics-document document" viewBox="-8 -8 653.859375 50" style="max-width: 653.859px; background-color: white;" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="100%" id="my-svg"><title id="chart-title-my-svg">DefaultAzureCredential authentication flow without deployed service credentials;</title><desc id="chart-desc-my-svg">Flowchart showing the credential chain implemented by DefaultAzureCredential when AZURE_TOKEN_CREDENTIALS is set to "dev";</desc><style>#my-svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}#my-svg .error-icon{fill:#fff;}#my-svg .error-text{fill:#000000;stroke:#000000;}#my-svg .edge-thickness-normal{stroke-width:2px;}#my-svg .edge-thickness-thick{stroke-width:3.5px;}#my-svg .edge-pattern-solid{stroke-dasharray:0;}#my-svg .edge-pattern-dashed{stroke-dasharray:3;}#my-svg .edge-pattern-dotted{stroke-dasharray:2;}#my-svg .marker{fill:#0b0b0b;stroke:#0b0b0b;}#my-svg .marker.cross{stroke:#0b0b0b;}#my-svg svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#my-svg .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#my-svg .cluster-label text{fill:#000000;}#my-svg .cluster-label span,#my-svg p{color:#000000;}#my-svg .label text,#my-svg span,#my-svg p{fill:#333;color:#333;}#my-svg .node rect,#my-svg .node circle,#my-svg .node ellipse,#my-svg .node polygon,#my-svg .node path{fill:#fff4dd;stroke:hsl(40.5882352941, 60%, 83.3333333333%);stroke-width:1px;}#my-svg .flowchart-label text{text-anchor:middle;}#my-svg .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#my-svg .node .label{text-align:center;}#my-svg .node.clickable{cursor:pointer;}#my-svg .arrowheadPath{fill:#0b0b0b;}#my-svg .edgePath .path{stroke:#0b0b0b;stroke-width:2.0px;}#my-svg .flowchart-link{stroke:#0b0b0b;fill:none;}#my-svg .edgeLabel{background-color:hsl(-79.4117647059, 100%, 93.3333333333%);text-align:center;}#my-svg .edgeLabel rect{opacity:0.5;background-color:hsl(-79.4117647059, 100%, 93.3333333333%);fill:hsl(-79.4117647059, 100%, 93.3333333333%);}#my-svg .labelBkg{background-color:rgba(243.9999999999, 220.9999999998, 255, 0.5);}#my-svg .cluster rect{fill:#fff;stroke:#fff;stroke-width:1px;}#my-svg .cluster text{fill:#000000;}#my-svg .cluster span,#my-svg p{color:#000000;}#my-svg div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:#fff;border:1px solid #fff;border-radius:2px;pointer-events:none;z-index:100;}#my-svg .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#my-svg :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#my-svg .developer&gt;*{fill:#F5AF6F!important;stroke:#EB7C39!important;stroke-width:2px!important;}#my-svg .developer span{fill:#F5AF6F!important;stroke:#EB7C39!important;stroke-width:2px!important;}</style><g><marker orient="auto" markerHeight="12" markerWidth="12" markerUnits="userSpaceOnUse" refY="5" refX="6" viewBox="0 0 10 10" class="marker flowchart" id="my-svg_flowchart-pointEnd"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowMarkerPath" d="M 0 0 L 10 5 L 0 10 z"/></marker><marker orient="auto" markerHeight="12" markerWidth="12" markerUnits="userSpaceOnUse" refY="5" refX="4.5" viewBox="0 0 10 10" class="marker flowchart" id="my-svg_flowchart-pointStart"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowMarkerPath" d="M 0 5 L 10 10 L 10 0 z"/></marker><marker orient="auto" markerHeight="11" markerWidth="11" markerUnits="userSpaceOnUse" refY="5" refX="11" viewBox="0 0 10 10" class="marker flowchart" id="my-svg_flowchart-circleEnd"><circle style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowMarkerPath" r="5" cy="5" cx="5"/></marker><marker orient="auto" markerHeight="11" markerWidth="11" markerUnits="userSpaceOnUse" refY="5" refX="-1" viewBox="0 0 10 10" class="marker flowchart" id="my-svg_flowchart-circleStart"><circle style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowMarkerPath" r="5" cy="5" cx="5"/></marker><marker orient="auto" markerHeight="11" markerWidth="11" markerUnits="userSpaceOnUse" refY="5.2" refX="12" viewBox="0 0 11 11" class="marker cross flowchart" id="my-svg_flowchart-crossEnd"><path style="stroke-width: 2; stroke-dasharray: 1, 0;" class="arrowMarkerPath" d="M 1,1 l 9,9 M 10,1 l -9,9"/></marker><marker orient="auto" markerHeight="11" markerWidth="11" markerUnits="userSpaceOnUse" refY="5.2" refX="-1" viewBox="0 0 11 11" class="marker cross flowchart" id="my-svg_flowchart-crossStart"><path style="stroke-width: 2; stroke-dasharray: 1, 0;" class="arrowMarkerPath" d="M 1,1 l 9,9 M 10,1 l -9,9"/></marker><g class="root"><g class="clusters"/><g class="edgePaths"><path marker-end="url(#my-svg_flowchart-pointEnd)" style="fill:none;" class="edge-thickness-normal edge-pattern-solid flowchart-link LS-D LE-E" id="L-D-E-0" d="M106.688,17L110.854,17C115.021,17,123.354,17,130.804,17C138.254,17,144.821,17,148.104,17L151.388,17"/><path marker-end="url(#my-svg_flowchart-pointEnd)" style="fill:none;" class="edge-thickness-normal edge-pattern-solid flowchart-link LS-E LE-F" id="L-E-F-0" d="M239.359,17L243.526,17C247.693,17,256.026,17,263.476,17C270.926,17,277.493,17,280.776,17L284.059,17"/><path marker-end="url(#my-svg_flowchart-pointEnd)" style="fill:none;" class="edge-thickness-normal edge-pattern-solid flowchart-link LS-F LE-G" id="L-F-G-0" d="M428.109,17L432.276,17C436.443,17,444.776,17,452.226,17C459.676,17,466.243,17,469.526,17L472.809,17"/></g><g class="edgeLabels"><g class="edgeLabel"><g transform="translate(0, 0)" class="label"><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span class="edgeLabel"></span></div></foreignObject></g></g><g class="edgeLabel"><g transform="translate(0, 0)" class="label"><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span class="edgeLabel"></span></div></foreignObject></g></g><g class="edgeLabel"><g transform="translate(0, 0)" class="label"><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span class="edgeLabel"></span></div></foreignObject></g></g></g><g class="nodes"><g transform="translate(53.34375, 17)" data-id="D" data-node="true" id="flowchart-D-0" class="node default developer flowchart-label"><rect height="34" width="106.6875" y="-17" x="-53.34375" ry="5" rx="5" style="" class="basic label-container"/><g transform="translate(-45.84375, -9.5)" style="" class="label"><rect/><foreignObject height="19" width="91.6875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span class="nodeLabel">Visual Studio</span></div></foreignObject></g></g><g transform="translate(198.0234375, 17)" data-id="E" data-node="true" id="flowchart-E-1" class="node default developer flowchart-label"><rect height="34" width="82.671875" y="-17" x="-41.3359375" ry="5" rx="5" style="" class="basic label-container"/><g transform="translate(-33.8359375, -9.5)" style="" class="label"><rect/><foreignObject height="19" width="67.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span class="nodeLabel">Azure CLI</span></div></foreignObject></g></g><g transform="translate(358.734375, 17)" data-id="F" data-node="true" id="flowchart-F-2" class="node default developer flowchart-label"><rect height="34" width="138.75" y="-17" x="-69.375" ry="5" rx="5" style="" class="basic label-container"/><g transform="translate(-61.875, -9.5)" style="" class="label"><rect/><foreignObject height="19" width="123.75"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span class="nodeLabel">Azure PowerShell</span></div></foreignObject></g></g><g transform="translate(557.984375, 17)" data-id="G" data-node="true" id="flowchart-G-3" class="node default developer flowchart-label"><rect height="34" width="159.75" y="-17" x="-79.875" ry="5" rx="5" style="" class="basic label-container"/><g transform="translate(-72.375, -9.5)" style="" class="label"><rect/><foreignObject height="19" width="144.75"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span class="nodeLabel">Azure Developer CLI</span></div></foreignObject></g></g></g></g></g></svg>
diff --git a/docs/azure/sdk/media/mermaidjs/DefaultAzureCredentialEnvVarProd.md b/docs/azure/sdk/media/mermaidjs/DefaultAzureCredentialEnvVarProd.md
@@ -0,0 +1,31 @@
+---
+ms.topic: include
+ms.date: 05/30/2025
+---
+
+```mermaid
+%% STEPS TO GENERATE IMAGE
+%% =======================
+%% 1. Install mermaid CLI v10.9.1 (see https://github.com/mermaid-js/mermaid-cli/blob/master/README.md):
+%%    npm i -g @mermaid-js/mermaid-cli@10.9.1
+%% 2. Run command: mmdc -i DefaultAzureCredentialEnvVarProd.md -o ../../media/mermaidjs/DefaultAzureCredentialEnvVarProd.svg
+
+%%{
+  init: {
+    'theme': 'base',
+    'themeVariables': {
+      'tertiaryBorderColor': '#fff',
+      'tertiaryColor': '#fff'
+    }
+  }
+}%%
+
+flowchart LR;
+    accTitle: DefaultAzureCredential authentication flow without developer tool credentials;
+    accDescr: Flowchart showing the credential chain implemented by DefaultAzureCredential when AZURE_TOKEN_CREDENTIALS is set to "prod";
+
+    A(Environment):::deployed --> B(Workload Identity):::deployed --> C(Managed Identity):::deployed;
+
+    %% Define styles for credential type boxes
+    classDef deployed fill:#95C37E, stroke:#71AD4C, stroke-width:2px;
+```
diff --git a/docs/azure/sdk/media/mermaidjs/DefaultAzureCredentialEnvVarProd.svg b/docs/azure/sdk/media/mermaidjs/DefaultAzureCredentialEnvVarProd.svg
