Speeding up DefaultAzureCredential authentication in local development with Azure CLI

If you’re developing .NET applications that integrate with Microsoft Azure resources, such as Key Vault, you’re probably familiar with the DefaultAzureCredential class from the Azure.Identity library. This class simplifies the process of authenticating against Azure services by providing a unified way to retrieve access tokens. However, when working in a local development environment, you might have noticed that DefaultAzureCredential can take up to 10 seconds to retrieve your Azure CLI credentials, impacting your productivity. In this blog post, we’ll explore two ways to speed up this process: using DefaultAzureCredentialOptions and ChainedTokenCredential.

DefaultAzureCredential overview

The DefaultAzureCredential class automatically selects the most appropriate credential type based on the environment in which it’s running, both in the cloud and in local development environments.

In cloud environments, DefaultAzureCredential usually relies on managed identities (ManagedIdentityCredential), simplifying the process of obtaining access tokens without the need to manage service principal credentials. For local development, DefaultAzureCredential usually relies on Azure CLI (AzureCliCredential), Visual Studio Code, or other methods to retrieve credentials.

Even so, this process can be quite slow, as it sequentially tries multiple credential types before identifying the correct one.

Benchmark results

I conducted a series of benchmarks to measure the time taken by DefaultAzureCredential to retrieve Azure CLI local development credentials from my computer. The results show that using DefaultAzureCredentialOptions to exclude unnecessary underlying token credentials speeds up the process, but the fastest approach is using ChainedTokenCredential to chain AzureCliCredential and DefaultAzureCredential. Here are the benchmark results:

MethodMeanErrorStdDev
DefaultAzureCredential with no options10,117.9 ms199.43 ms441.91 ms
DefaultAzureCredential with options to exclude unnecessary token credentials6,462.8 ms151.35 ms446.26 ms
ChainedTokenCredential chaining AzureCliCredential and then DefaultAzureCredential837.6 ms15.92 ms19.55 ms

Benchmark summary table comparing the startup times for retrieving Azure CLI credentials using different approaches

Using DefaultAzureCredentialOptions

One way to speed up DefaultAzureCredential is to use DefaultAzureCredentialOptions to exclude unnecessary underlying token credentials. This reduces the number of token credential types that DefaultAzureCredential must check before finding the one that can provide an access token. The benchmark results show that this approach can speed up the process, but it still takes around 6 seconds:

var tokenCredential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
    // Disable the token credential that we don't use
    ExcludeEnvironmentCredential = true,
    ExcludeInteractiveBrowserCredential = true,
    // Not everyone uses Visual Studio
    ExcludeVisualStudioCredential = true,
    ExcludeAzurePowerShellCredential = true,
    ExcludeSharedTokenCacheCredential = true,
    ExcludeVisualStudioCodeCredential = true,
});

_ = await tokenCredential.GetTokenAsync(new TokenRequestContext(new[] { "https://graph.microsoft.com/.default" }));

Using ChainedTokenCredential

The fastest approach I found is using ChainedTokenCredential to chain AzureCliCredential and DefaultAzureCredential. This approach explicitly uses AzureCliCredential first, which will only succeed in a local development environment, then falls back to DefaultAzureCredential for cloud environments. The benchmark results show that this method takes only about 800 milliseconds:

var tokenCredential = new ChainedTokenCredential(
    new AzureCliCredential(),
    new DefaultAzureCredential());

_ = await tokenCredential.GetTokenAsync(new TokenRequestContext(new[] { "https://graph.microsoft.com/.default" }));

Conclusion

If you’re tired of waiting 10 seconds every time you start your application in your IDE due to DefaultAzureCredential‘s slow retrieval of Azure CLI credentials, I highly recommend adopting the ChainedTokenCredential approach. By explicitly using AzureCliCredential first and falling back to DefaultAzureCredential, you can significantly speed up the authentication process in your local development environment. Not only does this efficient solution increases your productivity, but it also ensures that the behavior in cloud environments remains unaffected.