Authenticate Python apps to Azure services during local development using developer accounts

2025-05-30

When developing cloud applications, developers typically build, test, and debug their code locally before deploying it to Azure. However, even during local development, the application needs to authenticate with any Azure services it interacts with, such as Key Vault, Storage, or databases.

This article shows how to configure your application to use the developer's Azure credentials for authentication during local development. This approach enables a seamless and secure development experience without embedding secrets or writing environment-specific logic.

Overview of local development authentication using developer accounts

When developing an application that uses the Azure Identity library for Python, you can authenticate to Azure services during local development using the developer's Azure account. This approach is often the simplest way to authenticate to Azure services during local development since it doesn't require creating and managing service principals or secrets.

A diagram showing how a Python app during local development uses the developer's credentials to connect to Azure by obtaining those credentials from locally installed development tools.

To enable an application to authenticate to Azure during local development using the developer’s own Azure credentials, the developer must first sign in using one of the supported command-line tools:

Azure CLI (az login)
Azure Developer CLI (azd login)
Azure PowerShell (Connect-AzAccount)

Once signed in, the Azure Identity library for Python can automatically detect the active session and retrieve the necessary tokens from the credentials cache. This capability allows the app to authenticate to Azure services as the signed-in user, without requiring any additional configuration or hardcoded secrets.

This behavior is enabled when using DefaultAzureCredential, which transparently falls back to CLI-based credentials in local environments.

Using a developer's signed-in Azure credentials is the easiest setup for local development. It leverages each team member's existing Azure account, enabling seamless access to Azure services without requiring additional configuration.

However, developer accounts typically have broader permissions than the application should have in production. These broader permissions can lead to inconsistencies in testing or inadvertently allow operations that the app wouldn't be authorized to perform in a production environment. To closely mirror production permissions and improve security posture, you can instead create application-specific service principals for local development. These identities:

Can be assigned only the roles and permissions the application needs
Support principle of least privilege
Offer consistent testing of access-related behavior across environments

Developers can configure the local environment to use the service principal via environment variables, and DefaultAzureCredential picks it up automatically. For more information, see the article Authenticate Python apps to Azure services during local development using service principals.

1 - Create Microsoft Entra security group for local development

In most development scenarios, multiple developers contribute to the same application. To streamline access control and ensure consistent permissions across the team, we recommend that you first create a Microsoft Entra security group specifically for the application’s local development needs.

Assigning Azure roles at the group level—rather than to individual users—offers several key benefits:

Consistent Role Assignments

All developers in the group automatically inherit the same roles and permissions, ensuring a uniform development environment.
Simplified Role Management

When the application requires a new role, you only need to add it once to the group. You don't need to update individual user permissions.
Easy Onboarding

New developers can be granted the necessary permissions simply by adding them to the group. No manual role assignments are required.

If your organization already has a suitable Microsoft Entra security group for the development team, you can reuse it. Otherwise, you can create a new group specifically for the app.

Azure CLI
Azure portal

To create a security group in Microsoft Entra ID, use the az ad group createe Azure CLI command.

This command requires the following parameters:

--display-name: A user-friendly name for the group

--mail-nickname: A unique identifier used for email and internal reference

We recommend that you base the group name on the application name and include a suffix like -local-dev to clearly indicate its purpose.

#!/bin/bash
az ad group create \
    --display-name MyDisplay \
    --mail-nickname MyDisplay  \
    --description "<group-description>"

# PowerShell syntax
az ad group create `
    --display-name MyDisplay `
    --mail-nickname MyDisplay `
    --description "<group-description>"

After running the az ad group create command, copy the value of the id property from the command output. You need the Object ID of the Microsoft Entra security group for assigning roles in later steps in this article. To retrieve the Object ID again later, use the following az ad group show command: az ad group show --group "my-app-local-dev" --query id --output tsv.

To add a user to the group, you first need to obtain the Object ID of the Azure user account you want to add. Use the az ad user list command with the --filter parameter to search for a specific user by display name. The --query parameter helps limit the output to relevant fields:

#!/bin/bash
az ad user list \
--filter "startswith(displayName, 'Bob')" \
--query "[].{objectId:id, displayName:displayName}" \
--output table

# PowerShell syntax
az ad user list `
    --filter "startswith(displayName, 'Bob')" `
    --query "[].{objectId:id, displayName:displayName}" `
    --output table

Once you have the Object ID of the user, you can add them to the group using the az ad group member add command.

#!/bin/bash
az ad group member add \
    --group <group-name> \
    --member-id <object-id>

# PowerShell syntax
az ad group member add `
    --group <group-name> `
    --member-id <object-id>

Instructions	Screenshot
Navigate to the Microsoft Entra ID page in the Azure portal by typing Microsoft Entra ID into the search box at the top of the page and then selecting Microsoft Entra ID from under services.
On the Microsoft Entra ID page, select Groups from the left-hand menu.
On the All groups page, select New group.
On the New Group page: Group type → Security. Group name → A name for the security group, typically created from the application name. It's also helpful to include a string like local-dev in the name of the group to indicate the purpose of the group. Group description → A description of the purpose of the group. Select the No members selected link under Members to add members to the group.
On the Add members dialog box: Use the search box to filter the list of user names in the list. Choose one or more users for local development for this app. As you choose an object, the object moves to the Selected items list at the bottom of the dialog. When finished, choose the Select button.
Back on the New group page, select Create to create the group. The group will be created and you will be taken back to the All groups page. It may take up to 30 seconds for the group to appear and you may need to refresh the page due to caching in the Azure portal.

Note

By default, the creation of Microsoft Entra security groups is limited to certain privileged roles in a directory. If you're unable to create a group, contact an administrator for your directory. If you're unable to add members to an existing group, contact the group owner or a directory administrator. To learn more, see Manage Microsoft Entra groups and group membership.

2 - Assign roles to the Microsoft Entra group

After creating your Microsoft Entra security group and adding members, the next step is to determine what roles (permissions) your application requires, and assign those roles to the group at the appropriate scope.

Determine Required Roles

Identify the roles your app needs to function. Common examples include:
- Key Vault Secrets User – to read secrets from Azure Key Vault
- Storage Queue Data Contributor – to send messages to Azure Queue Storage
Refer to the built-in role definitions for more options.
Choose a Scope for the Role Assignment

Roles can be assigned at different scopes:
- Resource-level (e.g., a single Key Vault or Storage account)
- Resource group-level (recommended for most apps)
- Subscription-level (use with caution—broadest access)

In this example, we assign roles at the resource group scope, which is typical when all application resources are grouped under one resource group.

Azure CLI
Azure portal

A user, group, or application service principal is assigned a role in Azure using the az role assignment create command. You can specify a group with its Object ID.

#!/bin/bash
az role assignment create --assignee <objectId> \
    --scope /subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName> \
    --role "<roleName>"

# PowerShell syntax
az role assignment create `
    --assignee <objectId> `
    --scope /subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName> `
    --role "<roleName>"

To get the role names that can be assigned, use the az role definition list command.

#!/bin/bash
az role definition list --query "sort_by([].{roleName:roleName, description:description}, &roleName)" --output table

# PowerShell syntax
az role definition list --query "sort_by([].{roleName:roleName, description:description}, &roleName)" --output table

To grant read, write, and delete access to Azure Storage blob containers and data for all storage accounts in a specific resource group, assign the Storage Blob Data Contributor role to your Microsoft Entra security group.

#!/bin/bash
az role assignment create --assignee bbbbbbbb-1111-2222-3333-cccccccccccc \
    --scope /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/msdocs-python-sdk-auth-example \
    --role "Storage Blob Data Contributor"

# PowerShell syntax
az role assignment create --assignee bbbbbbbb-1111-2222-3333-cccccccccccc `
    --scope /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/msdocs-python-sdk-auth-example `
    --role "Storage Blob Data Contributor"

For information on assigning permissions at the resource or subscription level using the Azure CLI, see the article Assign Azure roles using the Azure CLI.

Instructions	Screenshot
Locate the resource group for your application by searching for the resource group name using the search box at the top of the Azure portal. Navigate to your resource group by selecting the resource group name under the Resource Groups heading in the dialog box.
On the page for the resource group, select Access control (IAM) from the left-hand menu.
On the Access control (IAM) page: Select the Role assignments tab. Select + Add from the top menu and then Add role assignment from the resulting drop-down menu.
The Add role assignment page lists all of the roles that can be assigned for the resource group. Use the search box to filter the list to a more manageable size. This example shows how to filter for Storage Blob roles. Select the role that you want to assign. Select Next to go to the next screen.
The next Add role assignment page allows you to specify what user to assign the role to. Select User, group, or service principal under Assign access to. Select + Select members under Members A dialog box opens on the right-hand side of the Azure portal.
In the Select members dialog: The Select text box can be used to filter the list of users and groups in your subscription. If needed, type the first few characters of the local development Microsoft Entra group you created for the app. Select the local development Microsoft Entra group associated with your application. Select Select at the bottom of the dialog to continue.
The Microsoft Entra group shows as selected on the Add role assignment screen. Select Review + assign to go to the final page and then Review + assign again to complete the process.

To authenticate with your Azure account, choose one of the following methods:

Open a terminal on your developer workstation and sign-in to Azure from the Azure CLI.

az login

Open a terminal on your developer workstation and sign-in to Azure from Azure PowerShell.

Connect-AzAccount

Open a terminal on your developer workstation and sign-in to Azure from Azure Developer CLI.

azd auth login

Interactive authentication is disabled in the DefaultAzureCredential by default and can be enabled with a keyword argument:

DefaultAzureCredential(exclude_interactive_browser_credential=False)

4 - Implement DefaultAzureCredential in your application

To authenticate Azure SDK client objects with Azure, your application should use the DefaultAzureCredential class from the azure-identity package. This is the recommended authentication method for both local development and production deployments.

In a local development scenario, DefaultAzureCredential works by sequentially checking for available authentication sources. Specifically, it looks for active sessions in the following tools:

Azure CLI (az login)
Azure PowerShell (Connect-AzAccount)
Azure Developer CLI (azd auth login)

If the developer is signed in to Azure using any of these tools, DefaultAzureCredential automatically detects the session and uses those credentials to authenticate the application with Azure services. This allows developers to securely authenticate without storing secrets or modifying code for different environments.

Start by adding the azure.identity package to your application.

pip install azure-identity

Next, for any Python code that creates an Azure SDK client object in your app, you want to:

Import the DefaultAzureCredential class from the azure.identity module.
Create a DefaultAzureCredential object.
Pass the DefaultAzureCredential object to the Azure SDK client object constructor.

An example of these steps is shown in the following code segment.

from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient

# Acquire a credential object
token_credential = DefaultAzureCredential()

blob_service_client = BlobServiceClient(
        account_url="https://<my_account_name>.blob.core.windows.net",
        credential=token_credential)

Share via

Authenticate Python apps to Azure services during local development using developer accounts

Overview of local development authentication using developer accounts

1 - Create Microsoft Entra security group for local development

2 - Assign roles to the Microsoft Entra group

3 - Sign-in to Azure using the Azure CLI, Azure PowerShell, Azure Developer CLI, or in a browser

4 - Implement DefaultAzureCredential in your application

Feedback

Additional resources