DefaultAzureCredential prints get_token failed even when it succeeds

[vxfield]

• Package Name: azure-identity
• Package Version: 1.6.0
• Operating System: MacOS
• Python Version: 3.7.4

Describe the bug
When authenticating using the DefaultAzureCredential in a Jupyter Notebook, it will try several authentication mechanisms as described here, as expected.

But even if one of the authentication methods happen to succeed, you will see the messages for the authentication methods that didn't succeed before the final (successful) authentication method was attempted (which you don't get a success message).

So you may see a message like this, even if the authentication succeeded (in this case via Interactive Browser):

EnvironmentCredential.get_token failed: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential.get_token failed: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
VisualStudioCodeCredential.get_token failed: Failed to get Azure user details from Visual Studio Code.
AzureCliCredential.get_token failed: Please run 'az login' to set up an account

This is confusing because the user may think that the authentication failed.

Ideally we should not show the failed attempts if one of them succeeded.
Or at least it should display which authentication method succeeded at the end...

To Reproduce
Steps to reproduce the behavior:

1. Authenticate with any Azure SDK client that accepts DefaultAzureCredential in a Jupyter Notebook
2. Don't pass environment variables for the EnvironmentCredential so that you see at least one get_token failed message even when one of the authentication methods succeeded.

Expected behavior
Don't show failed messages if one of the authentication methods succeeded.
Or show what was attempted but also show what succeeded.

Related issues

• azure-quantum: azure-quantum authentication get_token failed messages microsoft/azure-quantum-python#67

[chlowell]

This happens because DefaultAzureCredential actually requests a token from instances of those other credential types. The inner credentials are the source of the messages. DefaultAzureCredential itself already does what you want: it logs a failure warning iff none of its inner credentials provides a token, and logs an info message when it succeeds (I assume your logging configuration is filtering that message).

I agree it would be nice to suppress the inner credentials' warnings. It's possible to do that internally but my first ideas as to how are hacky. I'll keep thinking. As a workaround, an application can do it with a logging filter, for example:

import logging
import sys

def filter_credential_warnings(record):
    """Suppress warnings from credentials other than DefaultAzureCredential"""
    if record.levelno == logging.WARNING:
        message = record.getMessage()
        return "DefaultAzureCredential" in message
    return True

logger = logging.getLogger("azure.identity")
handler = logging.StreamHandler(stream=sys.stdout)
handler.addFilter(filter_credential_warnings)
logger.addHandler(handler)