{"id":4988,"date":"2025-08-26T22:16:27","date_gmt":"2025-08-27T05:16:27","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/semantic-kernel\/?p=4988"},"modified":"2025-08-26T22:20:30","modified_gmt":"2025-08-27T05:20:30","slug":"azure-authentication-changes-in-semantic-kernel-python","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/agent-framework\/azure-authentication-changes-in-semantic-kernel-python\/","title":{"rendered":"Azure Authentication Changes in Semantic Kernel Python"},"content":{"rendered":"

In previous versions of the Semantic Kernel Python, the default fallback authentication mechanism for Azure services like AzureChatCompletion<\/code> was DefaultAzureCredential<\/code> from the Azure Identity library. This provided a convenient way to authenticate without explicitly passing credentials, especially during development. However, with the latest package version 1.36.0<\/code>, this fallback is being removed to encourage more secure and explicit authentication practices. If your code relied on this default behavior, you may encounter errors after updating, and you’ll need to make minor code adjustments to continue using credential-based authentication.<\/p>\n

This post explains the reasoning behind this change, the potential issues you might face, and how to update your code accordingly. For more details on Azure authentication options, check out the Azure Identity library documentation<\/a>.<\/p>\n

Why This Change is Required<\/strong><\/h2>\n

DefaultAzureCredential<\/code> is designed primarily for local development environments, where it simplifies authentication by attempting a chain of common developer credentials (such as Azure CLI, Azure PowerShell, or Visual Studio Code sign-ins) until one succeeds. While this is helpful for quick prototyping, it introduces several risks and limitations in production:<\/p>\n

    \n
  1. Unpredictable Behavior:<\/strong> It tries multiple authentication methods in sequence, which can lead to delays, unexpected failures, or reliance on credentials that aren’t consistently available across environments.<\/li>\n
  2. Interactive Authentication Fallback:<\/strong> By default, it can prompt for interactive browser-based login, which is unsuitable for automated, headless production applications running on servers or in cloud environments.<\/li>\n
  3. Security and Best Practices:<\/strong> Production scenarios benefit from explicit, dedicated credentials like managed identities or service principals, which offer better control, auditing, and security. Using a broad fallback like DefaultAzureCredential<\/code> can mask configuration issues and doesn’t align with principles of least privilege.<\/li>\n<\/ol>\n

    For these reasons, we recommend using specific credential types tailored to your deployment environment in production to ensure reliability and security.<\/p>\n

    Changes in the Latest Version and Potential Errors<\/strong><\/h2>\n

    Starting with the new SDK version, the implicit use of DefaultAzureCredential<\/code> as a fallback has been removed. This means that if your code doesn’t explicitly provide an authentication method (such as an API key, AD token, or credential object), initialization will fail.<\/p>\n

    Users updating to this version who previously relied on the default fallback might see a ServiceInitializationError<\/code> with the message: Please provide either api_key, ad_token, ad_token_provider, credential or a client.<\/code> This error indicates that the SDK now requires you to explicitly pass one of the supported authentication options during service creation.<\/p>\n

    This change promotes better coding practices by making authentication explicit, reducing hidden dependencies, and aligning with Azure’s security guidelines.<\/p>\n

    How to Update Your Code<\/strong><\/h2>\n

    To resolve this, update your code to pass an explicit authentication method. If you want to continue using a credential-based approach (similar to the old fallback), you can instantiate a specific credential type from the Azure Identity library and pass it to the service constructor.<\/p>\n

    For example, change from the old implicit fallback:<\/p>\n

    chat_service = AzureChatCompletion()<\/code><\/pre>\n
    To an explicit credential, such as AzureCliCredential<\/code> (or any other suitable type like ManagedIdentityCredential<\/code> for Azure-hosted apps):<\/p>\n
    from azure.identity import AzureCliCredential\r\n\r\nchat_service = AzureChatCompletion(credential=AzureCliCredential())  # Or use another credential type<\/code><\/pre>\n
    Other options include providing an api_key<\/code>, ad_token<\/code>, ad_token_provider<\/code>, or a pre-configured client. Choose the one that best fits your environment.<\/p>\n
    Remember to import the necessary credential class from azure.identity<\/code> and ensure your environment is set up accordingly (e.g., Azure CLI logged in for AzureCliCredential<\/code>).<\/p>\n
    Summary<\/strong><\/h2>\n
    This update to the Semantic Kernel Python removes the DefaultAzureCredential<\/code> fallback to encourage explicit and secure authentication, addressing potential issues in production while maintaining flexibility. By making a small code change, you can avoid initialization errors and align with best practices.<\/p>\n
    We\u2019re always interested in hearing from you. If you have feedback, questions, or want to discuss further, feel free to reach out to us and the community on the discussion boards<\/a> on GitHub! We would also love your support\u2014if you’ve enjoyed using Semantic Kernel, give us a star on GitHub<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
    In previous versions of the Semantic Kernel Python, the default fallback authentication mechanism for Azure services like AzureChatCompletion was DefaultAzureCredential from the Azure Identity library. This provided a convenient way to authenticate without explicitly passing credentials, especially during development. However, with the latest package version 1.36.0, this fallback is being removed to encourage more secure […]<\/p>\n","protected":false},"author":156732,"featured_media":5001,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[17,34,1],"tags":[],"class_list":["post-4988","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcements","category-python-2","category-semantic-kernel"],"acf":[],"blog_post_summary":"
    In previous versions of the Semantic Kernel Python, the default fallback authentication mechanism for Azure services like AzureChatCompletion was DefaultAzureCredential from the Azure Identity library. This provided a convenient way to authenticate without explicitly passing credentials, especially during development. However, with the latest package version 1.36.0, this fallback is being removed to encourage more secure […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/agent-framework\/wp-json\/wp\/v2\/posts\/4988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/agent-framework\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/agent-framework\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/agent-framework\/wp-json\/wp\/v2\/users\/156732"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/agent-framework\/wp-json\/wp\/v2\/comments?post=4988"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/agent-framework\/wp-json\/wp\/v2\/posts\/4988\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/agent-framework\/wp-json\/wp\/v2\/media\/5001"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/agent-framework\/wp-json\/wp\/v2\/media?parent=4988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/agent-framework\/wp-json\/wp\/v2\/categories?post=4988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/agent-framework\/wp-json\/wp\/v2\/tags?post=4988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}