You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/azure/sdk/authentication/authentication-best-practices.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ This article offers guidelines to help you maximize the performance and reliabil
15
15
16
16
## Reuse credential instances
17
17
18
-
To improve app resilience, reuse credential instances when possible to reduce the number of access token requests issued to Microsoft Entra ID. When a credential is reused, an attempt is made to fetch a token from the app token cache managed by the underlying MSAL dependency. For more information, see [Token caching in the Azure Identity client library](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/samples/TokenCache.md).
18
+
Reuse credential instances when possible to improve app resilience and reduce the number of access token requests issued to Microsoft Entra ID. When a credential is reused, an attempt is made to fetch a token from the app token cache managed by the underlying MSAL dependency. For more information, see [Token caching in the Azure Identity client library](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/samples/TokenCache.md).
19
19
20
20
> [!NOTE]
21
21
> A high-volume app that doesn't reuse credentials may encounter HTTP 429 throttling responses from Microsoft Entra ID, which can lead to app outages.
@@ -35,7 +35,7 @@ Other types of .NET apps can reuse credential instances as follows:
35
35
The Azure Identity library for .NET allows you to authenticate via managed identity with `ManagedIdentityCredential`. The way you use `ManagedIdentityCredential` impacts the applied retry strategy:
36
36
37
37
- When used via `DefaultAzureCredential`:
38
-
- No retries are attempted when token acquisition fails.
38
+
- No retries are attempted when token acquisition fails, which makes this the least resilient option.
39
39
- When used via any other approach, such as `ChainedTokenCredential` or `ManagedIdentityCredential` directly:
40
40
- The time interval between retries starts at 0.8 seconds, and a maximum of five retries are attempted.
41
41
- If the Azure service to which you're authenticating provides a `Retry-After` response header, the next retry is delayed by the duration specified in that header's value.
Copy file name to clipboardExpand all lines: docs/azure/sdk/includes/default-azure-credential-usage.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,14 +6,14 @@ For example, consider the following hypothetical sequence of events:
6
6
1. An organization's security team mandates all apps use managed identity to authenticate to Azure resources.
7
7
1. For months, a .NET app hosted on an Azure Virtual Machine (VM) successfully uses `DefaultAzureCredential` to authenticate via managed identity.
8
8
1. Without telling the support team, a developer installs the Azure CLI on that VM and runs the `az login` command to sign-in to Azure.
9
-
1. Due to a separate configuration change in the Azure environment, Authentication via the original managed identity unexpectedly begins to fail.
9
+
1. Due to a separate configuration change in the Azure environment, authentication via the original managed identity unexpectedly begins to fail silently.
10
10
1.`DefaultAzureCredential` skips the failed `ManagedIdentityCredential` and searches for the next available credential, which is the Azure CLI credentials.
11
-
1.Because logging is disabled by default, the team is unaware of this silent authentication failure.
11
+
1.The team is unaware of the hidden authentication failure because logging is disabled by default.
12
12
13
13
`DefaultAzureCredential` also introduces the following challenges in some scenarios:
14
14
15
-
-**Debugging challenges**: When authentication fails, it can be difficult to debug and identify the offending credential. You must enable logging to see the progression from one credential to the next and the success or failure status of each. For more information, see [Debug a chained credential](/dotnet/azure/sdk/authentication/credential-chains?tabs=dac#debug-a-chained-credential).
16
-
-**Performance overhead**: Sequentially attempting multiple credentials can introduce performance overhead. For example, on a local development machine, managed identity is unavailable. Consequently, `ManagedIdentityCredential` always fails locally, unless explicitly disabled via its corresponding `Exclude`-prefixed property.
15
+
-**Debugging challenges**: When authentication fails, it can be difficult to identify and [debug the offending credential](/dotnet/azure/sdk/authentication/credential-chains?tabs=dac#debug-a-chained-credential). Enable logging to see the sequential progression and success or failure status of eachcredential.
16
+
-**Performance overhead**: Sequential credential attempts can introduce performance overhead. For example, managed identity is unavailable on a local development machine. Consequently, `ManagedIdentityCredential` always fails locally, unless explicitly disabled via its corresponding `Exclude`-prefixed property.
17
17
18
18
To prevent these types of subtle issues or silent failures in production apps, strongly consider moving from `DefaultAzureCredential` to one of the following deterministic solutions:
0 commit comments