dotnet · alexwolfmsft · Mar 11, 2025 · Mar 4, 2025 · Mar 5, 2025 · Mar 5, 2025
@@ -0,0 +1,8 @@
+---
+ms.topic: include
+ms.date: 02/12/2025
+---
+
+## Authenticate to Azure services from your app
+
+The [Azure Identity library](/dotnet/api/azure.identity?view=azure-dotnet&preserve-view=true) provides various *credentials*&mdash;implementations of `TokenCredential` adapted to supporting different scenarios and Microsoft Entra authentication flows. The steps ahead demonstrate how to use <xref:Azure.Identity.ClientSecretCredential> when working with service principals locally and in production.
@@ -0,0 +1,40 @@
+---
+ms.topic: include
+ms.date: 02/12/2025
+---
+
+[!INCLUDE [implement-service-principal-concepts](implement-service-principal-concepts.md)]
+
+### Implement the code
+
+Add the [Azure.Identity](/dotnet/api/azure.identity) package. In an ASP.NET Core project, also install the [Microsoft.Extensions.Azure](/dotnet/api/microsoft.extensions.azure) package:
+
+### [Command Line](#tab/command-line)
+
+In a terminal of your choice, navigate to the application project directory and run the following commands:
+
+```dotnetcli
+dotnet add package Azure.Identity
+dotnet add package Microsoft.Extensions.Azure
+```
+
+### [NuGet Package Manager](#tab/nuget-package)
+
+Right-click your project in the Visual Studio **Solution Explorer** window and select **Manage NuGet Packages**. Search for **Azure.Identity**, and install the matching package. Repeat this process for the **Microsoft.Extensions.Azure** package.
+
+:::image type="content" source="../media/nuget-azure-identity.png" alt-text="Install a package using the package manager.":::
+
+---
+
+Azure services are accessed using specialized client classes from the various Azure SDK client libraries. These classes and your own custom services should be registered for dependency injection so they can be used throughout your app. In `Program.cs`, complete the following steps to configure a client class for dependency injection and token-based authentication:
+
+1. Include the `Azure.Identity` and `Microsoft.Extensions.Azure` namespaces via `using` directives.
+1. Register the Azure service client using the corresponding `Add`-prefixed extension method.
+1. Configure `ClientSecretCredential` with the `tenantId`, `clientId`, and `clientSecret`.
+1. Pass the `ClientSecretCredential` instance to the `UseCredential` method.
+
+:::code language="csharp" source="../snippets/authentication/local-dev-service-principal/Program.cs" id="snippet_ClientSecretCredential_UseCredential":::
+
+An alternative to the `UseCredential` method is to provide the credential to the service client directly:
+
+:::code language="csharp" source="../snippets/authentication/local-dev-service-principal/Program.cs" id="snippet_ClientSecretCredential":::
@@ -4,14 +4,16 @@
   </PropertyGroup>
   <ItemGroup>
     <!-- Azure SDK packages -->
+    <PackageVersion Include="Azure.AI.OpenAI" Version="2.1.0" />
+    <PackageVersion Include="Microsoft.Extensions.AI" Version="9.3.0-preview.1.25114.11" />
+    <PackageVersion Include="Microsoft.Extensions.AI.OpenAI" Version="9.3.0-preview.1.25114.11" />
     <PackageVersion Include="Microsoft.Extensions.Azure" Version="1.10.0" />
     <PackageVersion Include="Azure.Identity" Version="1.13.2" />
     <PackageVersion Include="Azure.Identity.Broker" Version="1.2.0" />
-	  <PackageVersion Include="Azure.Security.KeyVault.Secrets" Version="4.7.0" />
+    <PackageVersion Include="Azure.Security.KeyVault.Secrets" Version="4.7.0" />
     <PackageVersion Include="Azure.Storage.Blobs" Version="12.23.0" />
-
     <!-- ASP.NET Core packages -->
     <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="8.0.8" />
     <PackageVersion Include="Swashbuckle.AspNetCore" Version="6.7.3" />
   </ItemGroup>
-</Project>
+</Project>
@@ -0,0 +1,77 @@
+using Azure.Identity;
+using Microsoft.Extensions.Azure;
+using Azure.Storage.Blobs;
+using Azure.Core;
+
+var builder = WebApplication.CreateBuilder(args);
+
+registerUsingServicePrincipal(builder);
+
+var app = builder.Build();
+
+if (app.Environment.IsDevelopment())
+{
+    app.UseSwagger();
+    app.UseSwaggerUI();
+}
+
+app.UseHttpsRedirection();
+
+var summaries = new[]
+{
+    "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
+};
+
+app.MapGet("/weatherforecast", async (BlobServiceClient client) =>
+{
+    var containerClient = client.GetBlobContainerClient("docs");
+
+    var blobs = containerClient.GetBlobs();
+
+    var forecast = Enumerable.Range(1, 5).Select(index =>
+        new WeatherForecast
+        (
+            DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
+            Random.Shared.Next(-20, 55),
+            summaries[Random.Shared.Next(summaries.Length)]
+        ))
+        .ToArray();
+    return blobs.FirstOrDefault().Name;
+})
+.WithName("GetWeatherForecast")
+.WithOpenApi();
+
+app.Run();
+
+void registerUsingServicePrincipal(WebApplicationBuilder builder)
+{
+    #region snippet_ClientSecretCredential_UseCredential
+    builder.Services.AddAzureClients(clientBuilder =>
+    {
+        var tenantId = Environment.GetEnvironmentVariable("AZURE_TENANT_ID");
+        var clientId = Environment.GetEnvironmentVariable("AZURE_CLIENT_ID");
+        var clientSecret = Environment.GetEnvironmentVariable("AZURE_CLIENT_SECRET");
+
+        clientBuilder.AddBlobServiceClient(
+            new Uri("https://<account-name>.blob.core.windows.net"));
+
+        clientBuilder.UseCredential(new ClientSecretCredential(tenantId, clientId, clientSecret));
+    });
+    #endregion snippet_ClientSecretCredential_UseCredential
+
+    #region snippet_ClientSecretCredential
+    var tenantId = Environment.GetEnvironmentVariable("AZURE_TENANT_ID");
+    var clientId = Environment.GetEnvironmentVariable("AZURE_CLIENT_ID");
+    var clientSecret = Environment.GetEnvironmentVariable("AZURE_CLIENT_SECRET");
+
+    builder.Services.AddSingleton<BlobServiceClient>(_ =>
+        new BlobServiceClient(
+            new Uri("https://<account-name>.blob.core.windows.net"),
+            new ClientSecretCredential(tenantId, clientId, clientSecret)));
+    #endregion snippet_ClientSecretCredential
+}
+
+internal record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary)
+{
+    public int TemperatureF => 32 + (int)(TemperatureC / 0.5556);
+}
@@ -0,0 +1,15 @@
+{
+  "profiles": {
+    "UserAssignedIdentityClientId": {
+        "commandName": "Project",
+        "launchBrowser": true,
+        "environmentVariables": {
+            "ASPNETCORE_ENVIRONMENT": "Development"
+        },
+        "applicationUrl": "https://localhost:52833;http://localhost:52834",
+        "environmentVariables": {
+            "ASPNETCORE_ENVIRONMENT": "Development"
+        }
+    }
+  }
+}
@@ -0,0 +1,17 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net9.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Azure.Storage.Blobs" />
+    <PackageReference Include="Microsoft.AspNetCore.OpenApi" />
+    <PackageReference Include="Microsoft.Extensions.Azure" />
+    <PackageReference Include="Swashbuckle.AspNetCore" />
+  </ItemGroup>
+
+</Project>
@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}
@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}