Is ClientID Required when Configuring the DefaultAzureCredential to authenticate a user-assigned identity

[mikerains]

The example of "configuring the DefaultAzureCredential to authenticate a user-assigned identity" illustrates specifying the clientId of the User-assigned Managed Identity. Everywhere in the document it shows obtaining an AzureDefaultCredential() by providing the User-assigned Managed Identity ClientID.

However, providing the ClientID, and if not provided, DefaultAzureCredential() will use the assigned Managed Identity. In fact, this is the most common use case, as oftentimes there is only one User-assigned Managed Identity and it makes sense that the application code should not take on the burden of configuring this ID.

I have confirmed this by trial, in AKS, by deploying an API that constructs a ServcieBusClient using a DefaultAzureCredential without providing a User-assigned Managed Identity ClientId, ie:

            client = new ServiceBusClient(
                "my-service-bus.servicebus.windows.net",
                new DefaultAzureCredential());

When the -agentpool user-assigned managed identity is given the role "Azure Service Bus Data Sender" for a topic, this client is able to send messages to the topic.

The documentation should be more clear about how this works. The documentation should ensure developers understand the ClientID need not be provided. As it is written, it seems to assert that the develop must know ahead f time if the Managed Identity is System or User-assigned, and, if user-assigned, then configure in the User-assigned Identity in order to supply it to the constructor of DefaultAzureCredential.

I suspect the User-assigned Identity ClientID need only be provided when there are multiple User-assigned Managed Identities assigned to the host, but I have not proven this scenario. If this is the case, it would be good to explain this in the documentation.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 91f437c5-363b-f98a-f595-5fcb9bf39d2a
• Version Independent ID: c6232a65-a004-428e-1ddf-84f6049ce875
• Content: Azure Identity client library for .NET - Azure for .NET Developers
• Content Source: api/overview/azure/latest/identity-readme.md
• Service: identity
• GitHub Login: @schaabs
• Microsoft Alias: sschaab

[jsquire]

//cc: @christothes

[jsquire]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[christothes]

Hi @mikerains Could you clarify how you determined that the DefaultAzureCredential used the user assigned managed identity in your tests? As far as I am aware, this should not work. The log output should confirm it - would you mind providing this output from your test?

https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/README.md#logging

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!