Azure Identity Troubleshooting Guide

This guide helps you diagnose and resolve common issues encountered when using Azure Identity libraries.

Common Authentication Errors

  • Error: "AADSTS70002: The specified username and password are not valid."

    Cause: Invalid credentials (username, password, or tenant ID). This often occurs when using username/password authentication directly, which is discouraged for production workloads. Consider using managed identities or service principals instead.

    Solution: Verify your credentials, ensure your account is not locked, and check that the tenant ID is correct. If using InteractiveBrowserCredential, ensure the user is able to log in successfully.

  • Error: "AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application."

    Cause: The redirect URI configured in your Azure AD application registration does not match the one your application is attempting to use.

    Solution: Ensure the redirect URI in your application code (e.g., for PublicClientApplication or InteractiveBrowserCredential) is precisely registered in the Azure AD app registration's "Authentication" tab.

  • Error: "AADSTS700082: The token request was rejected. ADFS server is not available."

    Cause: Your Azure AD tenant is federated with an on-premises Active Directory Federation Services (ADFS) infrastructure, and the ADFS server is inaccessible or misconfigured.

    Solution: Verify the network connectivity to your ADFS servers from where your application is running. Check ADFS server logs for more specific errors. Ensure the token issuer URI in your Azure AD tenant is correctly configured.

Issues with Token Acquisition

No Credentials Found

If your application fails to acquire a token, and you're seeing messages indicating no credentials were found, it means the Azure Identity library couldn't automatically discover suitable credentials in the current environment.

  • Managed Identity Not Enabled or Accessible

    Scenario: Running on Azure VM, App Service, Functions, etc., and expecting Managed Identity to work.

    Check:

    • Is the Managed Identity (system-assigned or user-assigned) enabled for the resource?
    • Does the identity have the necessary permissions (e.g., "Reader" role) on the Azure resource it needs to access (like a Key Vault)?
    • If using user-assigned managed identity, is it correctly associated with the resource?
    # Example: Assigning a role to a managed identity
az role assignment create --assignee  --role "Reader" --scope /subscriptions/.../resourceGroups/.../providers/Microsoft.Storage/storageAccounts/...

  • Environment Variables Not Set

    Scenario: Relying on environment variables for service principal credentials.

    Check: Ensure the following environment variables are correctly set:

    • AZURE_CLIENT_ID
    • AZURE_CLIENT_SECRET
    • AZURE_TENANT_ID
    • AZURE_AUTHORITY_HOST (if not using public cloud)

    For Azure SDKs, setting these environment variables allows the DefaultAzureCredential to pick them up automatically.

  • Local Development with Azure CLI or Workload Identity

    Scenario: Developing locally and expecting DefaultAzureCredential to use your logged-in Azure CLI identity or Kubernetes Workload Identity.

    Check:

    • Run az login and ensure you are logged into the correct subscription.
    • If using Workload Identity in Kubernetes, ensure your pod's service account is correctly configured and annotated.

Permissions Issues

Even if authentication succeeds, you might encounter authorization errors if the identity doesn't have the required permissions on the target resource.

  • "Server failed to respond" or HTTP 403 Forbidden

    Cause: The identity trying to access the resource (e.g., Key Vault, Storage Account, Azure SQL) lacks the necessary RBAC roles or access policies.

    Solution:

    1. Identify the identity used by your application (Managed Identity, Service Principal).
    2. Navigate to the target Azure resource in the Azure portal.
    3. Check the "Access control (IAM)" section for RBAC roles assigned to the identity.
    4. If the resource is Key Vault, check the "Access policies" to ensure the identity has the required secrets/keys/certificates permissions.
    5. Assign the minimum necessary roles (e.g., "Key Vault Secrets Officer", "Storage Blob Data Reader").
    # Example: Granting Key Vault Secrets Officer role
az role assignment create --role "Key Vault Secrets Officer" --assignee  --scope /subscriptions/.../resourceGroups/.../providers/Microsoft.KeyVault/vaults/...

Certificate-Based Authentication Problems

When using certificate-based authentication for a service principal:

  • Certificate Not Found or Expired

    Cause: The specified certificate cannot be found in the local certificate store, or it has expired.

    Solution: Ensure the certificate is installed in the correct store (e.g., `CurrentUser/My` or `LocalMachine/My`) and that its thumbprint is correct. Verify the certificate's validity period.

  • Thumbprint Mismatch

    Cause: The thumbprint provided in the code does not match the installed certificate.

    Solution: Double-check the certificate thumbprint. You can retrieve it using PowerShell: (Get-ChildItem Cert:\CurrentUser\My\).Thumbprint

Using DefaultAzureCredential

DefaultAzureCredential attempts to authenticate in a variety of ways based on the environment. If it fails, consider the order of credential types it tries:

  1. Environment variables
  2. Workload Identity (if applicable)
  3. Managed Identity (if running on Azure)
  4. Azure CLI
  5. Azure PowerShell
  6. Interactive Browser (falls back to this if other methods fail and interactive auth is allowed)

Tip: To understand which credential is being used, you can enable diagnostics logging in the Azure Identity library.

Logging and Diagnostics

Enabling detailed logging can provide crucial insights into authentication failures.

Example (C#):

var options = new DefaultAzureCredentialOptions
{
    Diagnostics = { IsLoggingEnabled = true }
};
var credential = new DefaultAzureCredential(options);

Example (Python):

from azure.identity import DefaultAzureCredential
from azure.core.pipeline.policies import HttpLoggingPolicy
import logging

# Enable logging for the azure.identity library
logging.basicConfig(level=logging.INFO)

credential = DefaultAzureCredential()

Examine the logs for details about the credential chain being tried and any specific error messages returned from Azure AD.