DEV Community

Steve Baker
Steve Baker

Posted on • Originally published at stebakernet.netlify.app

Troubleshooting DefaultAzureCredential: Identifying Which Credential Is Used

#azure #activedirectory #dotnet

The Problem

When using Azure Identity NuGet packages, DefaultAzureCredentials will attempt to load a range of credential types such as Environment Variables, Visual Studio, Azure Managed Identity and more. The full list is documented on Azure:
https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet

Determining which credentials are being used can be tricky unless you manually enable logging. When doing this, the Microsoft recommended approach will give you a very verbose output. To simplify the output, insert the below snippet into your applications startup.

How To Determine The Identity In Use 

using var listener = new AzureEventSourceListener((e, message) =>
{
    if (e.EventSource.Name == "Azure-Identity")
    {
        Console.WriteLine(message);
        // Alternatively, use _logger.LogInformation() if running in Azure
        // WARNING: These logs may include sensitive credentials
        // depending on the options selected below
    }
},
System.Diagnostics.Tracing.EventLevel.LogAlways);

DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions
{
    Diagnostics =
    {
        IsAccountIdentifierLoggingEnabled = true,
        // Useful extra options for debugging
        // These act as a Whitelist of fields to log. By
        //LoggedHeaderNames = { "x-ms-request-id" },
        //LoggedQueryParameters = { "api-version" },
        // This enables logging the request or response body
        //IsLoggingContentEnabled = true
    }
};
Enter fullscreen mode Exit fullscreen mode

AzureEventSourceListener will create a verbose logger. Adding that filter will remove a lot of noise.

Sample Output

You should get an output similar to this:

EnvironmentCredential.GetToken invoked
EnvironmentCredential.GetToken was unable to retrieve an access token
...
VisualStudioCredential.GetToken succeeded
Enter fullscreen mode Exit fullscreen mode

This output makes it straightforward to identify exactly which credential type was successful (or unsuccessful).

The Links

Azure Identity Logging:
https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/README.md#logging

Related Issue:
https://github.com/Azure/azure-sdk-for-net/issues/27872

Top comments (0)