The Problem
When using Azure Identity NuGet packages, DefaultAzureCredentials will attempt to load a range of credential types such as Environment Variables, Visual Studio, Azure Managed Identity and more. The full list is documented on Azure:
https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet
Determining which credentials are being used can be tricky unless you manually enable logging. When doing this, the Microsoft recommended approach will give you a very verbose output. To simplify the output, insert the below snippet into your applications startup.
How To Determine The Identity In Use
using var listener = new AzureEventSourceListener((e, message) =>
{
if (e.EventSource.Name == "Azure-Identity")
{
Console.WriteLine(message);
// Alternatively, use _logger.LogInformation() if running in Azure
// WARNING: These logs may include sensitive credentials
// depending on the options selected below
}
},
System.Diagnostics.Tracing.EventLevel.LogAlways);
DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions
{
Diagnostics =
{
IsAccountIdentifierLoggingEnabled = true,
// Useful extra options for debugging
// These act as a Whitelist of fields to log. By
//LoggedHeaderNames = { "x-ms-request-id" },
//LoggedQueryParameters = { "api-version" },
// This enables logging the request or response body
//IsLoggingContentEnabled = true
}
};
AzureEventSourceListener will create a verbose logger. Adding that filter will remove a lot of noise.
Sample Output
You should get an output similar to this:
EnvironmentCredential.GetToken invoked
EnvironmentCredential.GetToken was unable to retrieve an access token
...
VisualStudioCredential.GetToken succeeded
This output makes it straightforward to identify exactly which credential type was successful (or unsuccessful).
The Links
Azure Identity Logging: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/README.md#logging
Related Issue: https://github.com/Azure/azure-sdk-for-net/issues/27872
