Azure
[Identity] AzurePipelinesCredential parameterless constructor and add to DAC
- Investigate a way to make the constructor of the credential AzurePipelinesCredential parameterless. This needs to be discussed with the service team so that it would work for all scenarios and tasks
- Add this credential to DAC once parameterless constructor is supported.
Thank you for your feedback. Tagging and routing to the team member best able to assist.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Is there an update here?
tenantId, clientId, serviceConnectionId are the current parameters that seem required. systemAccessToken has a well-known environment variable SYSTEM_ACCESSTOKEN.
AZURE_TENANT_ID and AZURE_CLIENT_ID already have precedent in EnvironmentCredential so they could be used for tenantId and clientId.
This leaves serviceConnectionId. I'm imagining this is the only real creative writing excercise this is blocked on? Should we pick an environment variable name and call it a day?
Developers who want their code to look the same in all compute where their code run on are really hurting for this being added to DefaultAzureCredential.
Unless I'm missing something, my thought would be to pick a name and call it a day ...
@mjsabby We're working with the Azure Pipelines team to get this work prioritized. Unfortunately, it didn't make the cut for the current quarter. They're reconsidering the work for next quarter. /cc: @geekzter
@mjsabby what is your task scenario? Can you elaborate on what pipeline task you're using and how you want to use it?
I'll chime in.
I'm using Azure DevOps pipelines with pipeline's workload identity federation to deploy non-azure resources with a script running in AzurePowerShell@5 task.
All Microsoft cloud resources are secured with Entra ID; which means that as long as I grant Service Principal permissions to the target environment (be it SPO or Power Platform, etc) I can deploy resources without going through authentication with secrets/passwords
I described it here: Azure DevOps Pipeline: no secrets, no certificates
@kkazala thanks. Your post uses PowerShell (to connect to SharePoint). How would you intend to use DefaultCredential or AzurePipelinesCredential?
I want to use AzurePipelinesCredential() in my integration test code. I started with https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/dotnet-core-cli-v2?view=azure-pipelines. Doc says to configure service connection on the DotNetCoreCLI task. But then all the samples indicate passing only SYSTEM_ACCESSTOKEN environment variables, there is no documentation about how to get other parameters for the constructor. All examples say that tenant id, client id, connection id should be populated. If I populate them directly in the code, why pass azureSubscription parameter to the task. If I am passing the parameter to the task, these parameters should be available to code as environment variables. In short, the AzurePipelinesCredential is unusable in current state.
I want to use AzurePipelinesCredential() in my integration test code. I started with https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/dotnet-core-cli-v2?view=azure-pipelines. Doc says to configure service connection on the DotNetCoreCLI task. But then all the samples indicate passing only SYSTEM_ACCESSTOKEN environment variables, there is no documentation about how to get other parameters for the constructor. All examples say that tenant id, client id, connection id should be populated. If I populate them directly in the code, why pass
azureSubscriptionparameter to the task. If I am passing the parameter to the task, these parameters should be available to code as environment variables. In short, the AzurePipelinesCredential is unusable in current state.
Have you tried following this sample?
Yes. It has the same problem I mentioned. I need to configure service connection in 2 places - pipeline and code.
Thanks, Mahesh Wattamwar
On Mon, Oct 27, 2025 at 7:28 AM Christopher Scott @.***> wrote:
I want to use AzurePipelinesCredential() in my integration test code. I started with https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/dotnet-core-cli-v2?view=azure-pipelines. Doc says to configure service connection on the DotNetCoreCLI task. But then all the samples indicate passing only SYSTEM_ACCESSTOKEN environment variables, there is no documentation about how to get other parameters for the constructor. All examples say that tenant id, client id, connection id should be populated. If I populate them directly in the code, why pass azureSubscription parameter to the task. If I am passing the parameter to the task, these parameters should be available to code as environment variables. In short, the AzurePipelinesCredential is unusable in current state.
Have you tried following this sample https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/samples/OtherCredentialSamples.md#authenticating-in-azure-pipelines-with-service-connections ?
— Reply to this email directly, view it on GitHub https://github.com/Azure/azure-sdk-for-net/issues/44969#issuecomment-3451577770 or unsubscribe https://github.com/notifications/unsubscribe-auth/ABA7PX7RNL6WPTCWJTDSNE33ZYT2VBFKMF2HI4TJMJ2XIZLTS2BKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFU4YTENZZGI3DHJDOMFWWLKDBMN2G64S7NFSIFJLWMFWHKZNKGEYTOOBUGQ3TQNRQURXGC3LFVFUGC427NRQWEZLMQKSXMYLMOVS2UMJTGQ2DAOJXHAZTBJDOMFWWLKLIMFZV63DBMJSWZLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFU4ZDSMRYHE2DJAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDENBQGQZTMOBXGI4KO5DSNFTWOZLSUZRXEZLBORSQ . You are receiving this email because you commented on the thread.
Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .
Yes. It has the same problem I mentioned. I need to configure service connection in 2 places - pipeline and code.
Thanks, Mahesh Wattamwar …
I'm not sure I understand what you mean by having to configure the service connection in two places. The pipeline task takes the service connection details and it configures some well-known environment variables that can be referenced in the code.
From the link above:
"Note: The environment variables AZURESUBSCRIPTION_CLIENT_ID, AZURESUBSCRIPTION_TENANT_ID, and AZURESUBSCRIPTION_SERVICE_CONNECTION_ID are configured by Azure Pipelines only in the tasks AzureCLI@2 and AzurePowerShell@5. Values from these environment variables should be passed into the constructor of AzurePipelinesCredential by the user."
Yes. It has the same problem I mentioned. I need to configure service connection in 2 places - pipeline and code. Thanks, Mahesh Wattamwar …
I'm not sure I understand what you mean by having to configure the service connection in two places. The pipeline task takes the service connection details and it configures some well-known environment variables that can be referenced in the code.
From the link above:
"Note: The environment variables AZURESUBSCRIPTION_CLIENT_ID, AZURESUBSCRIPTION_TENANT_ID, and AZURESUBSCRIPTION_SERVICE_CONNECTION_ID are configured by Azure Pipelines only in the tasks AzureCLI@2 and AzurePowerShell@5. Values from these environment variables should be passed into the constructor of AzurePipelinesCredential by the user."
Documentation seems outdated: https://github.com/microsoft/azure-pipelines-tasks/blob/b46793c81732f5a98a48f8c57247080091369c0b/Tasks/DotNetCoreCLIV2/dotnetcore.ts#L526-L542
