dotnet · alexwolfmsft · Jun 12, 2026 · Jun 12, 2026 · Jun 12, 2026 · Jun 12, 2026
@@ -2,7 +2,8 @@
 title: Authenticate .NET apps to Azure using developer accounts
 description: Learn how to authenticate your application to Azure services when using the Azure SDK for .NET during local development using developer accounts.
 ms.topic: how-to
-ms.date: 11/25/2025
+ms.date: 06/12/2026
+ai-usage: ai-assisted
 ms.custom:
   - devx-track-dotnet
   - engagement-fy23
@@ -71,11 +72,14 @@ Next, sign-in to Azure using one of several developer tools that can be used to
 
 ## Authenticate to Azure services from your app
 
-The [Azure Identity library](/dotnet/api/azure.identity?view=azure-dotnet&preserve-view=true) provides implementations of <xref:Azure.Core.TokenCredential> that support various scenarios and Microsoft Entra authentication flows. The steps ahead demonstrate how to use <xref:Azure.Identity.DefaultAzureCredential> or a specific development tool credential when working with user accounts locally.
+The [Azure Identity library](/dotnet/api/azure.identity?view=azure-dotnet&preserve-view=true) provides implementations of <xref:Azure.Core.TokenCredential> that support various scenarios and Microsoft Entra authentication flows. The Azure SDK for .NET offers two patterns for registering Azure service clients with dependency injection:
 
-### Implement the code
+- **Microsoft.Extensions.Azure (stable)** — register clients with `AddAzureClients` and pass a `TokenCredential` to `UseCredential` in code. Use this pattern for production apps today.
+- **Azure.Identity configuration and DI (preview)** — bind clients and their credentials to a section of `appsettings.json`. No `TokenCredential` instance is constructed in code. Tracked by [azure-sdk-for-net#55491](https://github.com/Azure/azure-sdk-for-net/issues/55491).
 
-Complete the following steps:
+Select a tab to see the steps for each pattern.
+
+### [Microsoft.Extensions.Azure (stable)](#tab/mea)
 
 1. Add references to the [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) and the [Microsoft.Extensions.Azure](https://www.nuget.org/packages/Microsoft.Extensions.Azure) packages in your project:
 
@@ -109,3 +113,46 @@ Complete the following steps:
 
     > [!TIP]
     > When your team uses multiple development tools to authenticate with Azure, prefer a local development-optimized instance of `DefaultAzureCredential` over tool-specific credentials.
+
+### [Azure.Identity configuration and DI (preview)](#tab/config-di)
+
+> [!IMPORTANT]
+> The configuration and dependency injection APIs shown in this tab are in public preview and emit diagnostic ID `SCME0002`. Service-specific registration extensions (for example, `AddSecretClient`) are rolling out incrementally across the Azure SDK client libraries. To use these APIs today, install a prerelease of the relevant client library and suppress `SCME0002` in your project file:
+>
+> ```xml
+> <PropertyGroup>
+>   <NoWarn>$(NoWarn);SCME0002</NoWarn>
+> </PropertyGroup>
+> ```
+
+1. Add a reference to the preview release of the client library that ships the next-gen extensions. For example, to register a Key Vault `SecretClient`:
+
+    ```dotnetcli
+    dotnet package add Azure.Security.KeyVault.Secrets --prerelease
+    ```
+
+    The package pulls in a compatible prerelease of `Azure.Identity` transitively.
+
+1. In `appsettings.json`, add a section that describes the client endpoint and credential. The section name is arbitrary — you reference it by name when you register the client:
+
+    ```json
+    "KeyVaultSecrets": {
+      "VaultUri": "https://<vault-name>.vault.azure.net",
+      "Credential": {
+        "CredentialSource": "AzureCliCredential"
+      }
+    }
+    ```
+
+    `CredentialSource` accepts any credential supported by Azure.Identity, including `AzureCliCredential`, `AzureDeveloperCliCredential`, `AzurePowerShellCredential`, `VisualStudioCredential`, `VisualStudioCodeCredential`, `EnvironmentCredential`, `ManagedIdentityCredential`, and `InteractiveBrowserCredential`.
+
+1. In `Program.cs`, add a `using` directive for the client namespace and register the client by binding it to the configuration section:
+
+    :::code language="csharp" source="../snippets/authentication/local-dev-account/Program.cs" id="snippet_NextGenAddSecretClient":::
+
+    The credential is resolved from the `Credential` subsection automatically — no `TokenCredential` instance is constructed in code.
+
+> [!NOTE]
+> Service-specific extensions like `AddSecretClient` ship with each client library as it adopts the pattern. For libraries that haven't shipped a dedicated extension yet, use the generic `builder.AddAzureClient<TClient, TSettings>("section-name")` method from `Azure.Identity` instead.
+
+---
@@ -4,6 +4,10 @@
     <TargetFramework>net10.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
+    <!-- SCME0002 covers the experimental configuration and DI APIs in
+         System.ClientModel / Azure.Identity. Suppress here so the next-gen
+         snippets compile. Remove after the APIs stabilize. -->
+    <NoWarn>$(NoWarn);SCME0002</NoWarn>
   </PropertyGroup>
 
   <ItemGroup>
@@ -12,6 +16,10 @@
     <PackageReference Include="Microsoft.AspNetCore.OpenApi" />
     <PackageReference Include="Microsoft.Extensions.Azure" />
     <PackageReference Include="Swashbuckle.AspNetCore" />
+    <!-- Preview release that ships the AddSecretClient extension for the
+         next-gen configuration and DI pattern. Tracked by
+         https://github.com/Azure/azure-sdk-for-net/issues/55491. -->
+    <PackageReference Include="Azure.Security.KeyVault.Secrets" VersionOverride="4.12.0-beta.1" />
   </ItemGroup>
 
 </Project>
@@ -1,10 +1,12 @@
 using Microsoft.Extensions.Azure;
 using Azure.Storage.Blobs;
 using Azure.Identity;
+using Azure.Security.KeyVault.Secrets;
 
 var builder = WebApplication.CreateBuilder(args);
 
 registerUsingUserPrincipal(builder);
+registerUsingNextGen(builder);
 
 var app = builder.Build();
 
@@ -68,6 +70,18 @@ void registerUsingUserPrincipal(WebApplicationBuilder builder)
     #endregion snippet_DefaultAzureCredentialDev
 }
 
+// Demonstrates the next-gen configuration and dependency injection pattern from
+// System.ClientModel / Azure.Identity. The credential and endpoint are read from
+// the "KeyVaultSecrets" section of appsettings.json.
+void registerUsingNextGen(WebApplicationBuilder builder)
+{
+    #region snippet_NextGenAddSecretClient
+    // Binds the "KeyVaultSecrets" section of appsettings.json and resolves the
+    // credential from the nested "Credential" subsection automatically.
+    builder.AddSecretClient("KeyVaultSecrets");
+    #endregion snippet_NextGenAddSecretClient
+}
+
 internal record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary)
 {
     public int TemperatureF => 32 + (int)(TemperatureC / 0.5556);

@@ -5,5 +5,11 @@
       "Microsoft.AspNetCore": "Warning"
     }
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "*",
+  "KeyVaultSecrets": {
+    "VaultUri": "https://<vault-name>.vault.azure.net",
+    "Credential": {
+      "CredentialSource": "AzureCliCredential"
+    }
+  }
 }