Azure Identity client library for C++

The Azure Identity library provides Azure Active Directory token authentication support across the Azure SDK. It provides a set of TokenCredential implementations which can be used to construct Azure SDK clients which support AAD token authentication. This library follows the Azure SDK Design Guidelines for C++.

Source code | API reference documentation | Azure Active Directory documentation

Getting started

Include the package

The easiest way to acquire the C++ SDK is leveraging vcpkg package manager. See the corresponding Azure SDK for C++ readme section.

To install Azure Identity package via vcpkg:

> vcpkg install azure-identity-cpp

Then, use in your CMake file:

find_package(azure-identity-cpp CONFIG REQUIRED)
target_link_libraries(<your project name> PRIVATE Azure::azure-identity)

Key concepts


A credential is a class which contains or can obtain the data needed for a service client to authenticate requests. Service clients across Azure SDK accept credentials when they are constructed, and service clients use those credentials to authenticate requests to the service.

The Azure Identity library focuses on OAuth authentication with Azure Active directory, and it offers a variety of credential classes capable of acquiring an AAD token to authenticate service requests. All of the credential classes in this library are implementations of the TokenCredential abstract class in azure-core, and any of them can be used by to construct service clients capable of authenticating with a TokenCredential.

Authenticating Service Principals

credential class


configuration </thead> <tbody>


authenticates a service principal using a secret

Service principal authentication


authenticates a service principal using a certificate

Service principal authentication </tbody>

Environment Variables

EnvironmentCredential can be configured with environment variables. Each type of authentication requires values for specific variables:

Service principal with secret

variable name

value </thead> <tbody>


id of an Azure Active Directory application


id of the application's Azure Active Directory tenant


one of the application's client secrets </tbody>

Service principal with certificate

variable name

value </thead> <tbody>


id of an Azure Active Directory application


id of the application's Azure Active Directory tenant


path to a PEM-encoded certificate file including private key (without password protection) </tbody>

Configuration is attempted in the above order. For example, if values for a client secret and certificate are both present, the client secret will be used.

Managed Identity Support

The Managed identity authentication is supported via the ManagedIdentityCredential for the following Azure Services:

Chained Token Credential

ChainedTokenCredential allows users to customize the credentials considered when authenticating.

An example below demonstrates using ChainedTokenCredential which will attempt to authenticate using EnvironmentCredential, and fall back to authenticate using ManagedIdentityCredential.

// Authenticate using environment credential if it is available; otherwise use the managed identity credential to authenticate.
auto chainedTokenCredential = std::make_shared<Azure::Identity::ChainedTokenCredential>(
Azure::Service::Client azureServiceClient("serviceUrl", chainedTokenCredential);


Credentials raise exceptions either when they fail to authenticate or cannot execute authentication. When credentials fail to authenticate, the AuthenticationException is thrown and it has the what() functions returning the description why authentication failed.


For details on contributing to this repository, see the contributing guide.

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit the Contributor License Agreement.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact with any additional questions or comments.

Additional Helpful Links for Contributors

Many people all over the world have helped make this project better. You'll want to check out:

Reporting security issues and security bugs

Security issues and bugs should be reported privately, via email, to the Microsoft Security Response Center (MSRC) You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Further information, including the MSRC PGP key, can be found in the Security TechCenter.


Azure SDK for C++ is licensed under the MIT license.

std::vector< std::shared_ptr< Core::Credentials::TokenCredential > > Sources
A container type to store the ordered chain of credentials.
Definition: chained_token_credential.hpp:29