diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-ai-agents-persistent-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-ai-agents-persistent-dotnet/SKILL.md
index 5d2f2c20..9c9bd87a 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-ai-agents-persistent-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-ai-agents-persistent-dotnet/SKILL.md
@@ -25,10 +25,11 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-PROJECT_ENDPOINT=https://<resource>.services.ai.azure.com/api/projects/<project>
-MODEL_DEPLOYMENT_NAME=gpt-4o-mini
-AZURE_BING_CONNECTION_ID=<bing-connection-resource-id>
-AZURE_AI_SEARCH_CONNECTION_ID=<search-connection-resource-id>
+PROJECT_ENDPOINT=https://<resource>.services.ai.azure.com/api/projects/<project>  # Required: Azure AI project endpoint
+MODEL_DEPLOYMENT_NAME=gpt-4o-mini  # Required: model deployment name
+AZURE_BING_CONNECTION_ID=<bing-connection-resource-id>  # Required: Bing connection resource ID
+AZURE_AI_SEARCH_CONNECTION_ID=<search-connection-resource-id>  # Required: Azure AI Search connection resource ID
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
@@ -38,7 +39,14 @@ using Azure.AI.Agents.Persistent;
 using Azure.Identity;
 
 var projectEndpoint = Environment.GetEnvironmentVariable("PROJECT_ENDPOINT");
-PersistentAgentsClient client = new(projectEndpoint, new DefaultAzureCredential());
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
+PersistentAgentsClient client = new(projectEndpoint, credential);
 ```
 
 ## Client Hierarchy
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-ai-document-intelligence-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-ai-document-intelligence-dotnet/SKILL.md
index 8ae8e616..249ebfab 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-ai-document-intelligence-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-ai-document-intelligence-dotnet/SKILL.md
@@ -25,21 +25,28 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-DOCUMENT_INTELLIGENCE_ENDPOINT=https://<resource-name>.cognitiveservices.azure.com/
-DOCUMENT_INTELLIGENCE_API_KEY=<your-api-key>
-BLOB_CONTAINER_SAS_URL=https://<storage>.blob.core.windows.net/<container>?<sas-token>
+DOCUMENT_INTELLIGENCE_ENDPOINT=https://<resource-name>.cognitiveservices.azure.com/  # Required: Document Intelligence endpoint
+DOCUMENT_INTELLIGENCE_API_KEY=<your-api-key>  # Only required for AzureKeyCredential auth
+BLOB_CONTAINER_SAS_URL=https://<storage>.blob.core.windows.net/<container>?<sas-token>  # Optional: blob container SAS URL for training data
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
 
-### Microsoft Entra ID (Recommended)
+### Microsoft Entra Token Credential
 
 ```csharp
 using Azure.Identity;
 using Azure.AI.DocumentIntelligence;
 
 string endpoint = Environment.GetEnvironmentVariable("DOCUMENT_INTELLIGENCE_ENDPOINT");
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var client = new DocumentIntelligenceClient(new Uri(endpoint), credential);
 ```
 
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-ai-openai-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-ai-openai-dotnet/SKILL.md
index 7cc208f9..4c15f34a 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-ai-openai-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-ai-openai-dotnet/SKILL.md
@@ -27,9 +27,10 @@ dotnet add package OpenAI
 ## Environment Variables
 
 ```bash
-AZURE_OPENAI_ENDPOINT=https://<resource-name>.openai.azure.com
-AZURE_OPENAI_API_KEY=<api-key>                    # For key-based auth
-AZURE_OPENAI_DEPLOYMENT_NAME=gpt-4o-mini          # Your deployment name
+AZURE_OPENAI_ENDPOINT=https://<resource-name>.openai.azure.com  # Required: Azure OpenAI endpoint
+AZURE_OPENAI_API_KEY=<api-key>  # Only required for AzureKeyCredential auth
+AZURE_OPENAI_DEPLOYMENT_NAME=gpt-4o-mini  # Required: model deployment name
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Client Hierarchy
@@ -56,15 +57,22 @@ AzureOpenAIClient client = new(
     new AzureKeyCredential(Environment.GetEnvironmentVariable("AZURE_OPENAI_API_KEY")!));
 ```
 
-### Microsoft Entra ID (Recommended for Production)
+### Microsoft Entra Token Credential
 
 ```csharp
 using Azure.Identity;
 using Azure.AI.OpenAI;
 
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 AzureOpenAIClient client = new(
     new Uri(Environment.GetEnvironmentVariable("AZURE_OPENAI_ENDPOINT")!),
-    new DefaultAzureCredential());
+    credential);
 ```
 
 ### Using OpenAI SDK Directly with Azure
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-ai-projects-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-ai-projects-dotnet/SKILL.md
index 962ce0ea..80428335 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-ai-projects-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-ai-projects-dotnet/SKILL.md
@@ -31,10 +31,11 @@ dotnet add package Azure.AI.Agents.Persistent --prerelease
 ## Environment Variables
 
 ```bash
-PROJECT_ENDPOINT=https://<resource>.services.ai.azure.com/api/projects/<project>
-MODEL_DEPLOYMENT_NAME=gpt-4o-mini
-CONNECTION_NAME=<your-connection-name>
-AI_SEARCH_CONNECTION_NAME=<ai-search-connection>
+PROJECT_ENDPOINT=https://<resource>.services.ai.azure.com/api/projects/<project>  # Required: Azure AI project endpoint
+MODEL_DEPLOYMENT_NAME=gpt-4o-mini  # Required: model deployment name
+CONNECTION_NAME=<your-connection-name>  # Optional: project connection name
+AI_SEARCH_CONNECTION_NAME=<ai-search-connection>  # Optional: Azure AI Search connection name
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
@@ -44,9 +45,16 @@ using Azure.Identity;
 using Azure.AI.Projects;
 
 var endpoint = Environment.GetEnvironmentVariable("PROJECT_ENDPOINT");
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 AIProjectClient projectClient = new AIProjectClient(
     new Uri(endpoint), 
-    new DefaultAzureCredential());
+    credential);
 ```
 
 ## Client Hierarchy
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-ai-voicelive-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-ai-voicelive-dotnet/SKILL.md
index a92d4ea3..82e101da 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-ai-voicelive-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-ai-voicelive-dotnet/SKILL.md
@@ -26,23 +26,29 @@ dotnet add package NAudio                    # For audio capture/playback
 ## Environment Variables
 
 ```bash
-AZURE_VOICELIVE_ENDPOINT=https://<resource>.services.ai.azure.com/
-AZURE_VOICELIVE_MODEL=gpt-4o-realtime-preview
-AZURE_VOICELIVE_VOICE=en-US-AvaNeural
-# Optional: API key if not using Entra ID
-AZURE_VOICELIVE_API_KEY=<your-api-key>
+AZURE_VOICELIVE_ENDPOINT=https://<resource>.services.ai.azure.com/  # Required: Voice Live endpoint
+AZURE_VOICELIVE_MODEL=gpt-4o-realtime-preview  # Required: model deployment name
+AZURE_VOICELIVE_VOICE=en-US-AvaNeural  # Optional: Voice Live voice name
+AZURE_VOICELIVE_API_KEY=<your-api-key>  # Only required for AzureKeyCredential auth
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
 
-### Microsoft Entra ID (Recommended)
+### Microsoft Entra Token Credential
 
 ```csharp
 using Azure.Identity;
 using Azure.AI.VoiceLive;
 
 Uri endpoint = new Uri("https://your-resource.cognitiveservices.azure.com");
-DefaultAzureCredential credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 VoiceLiveClient client = new VoiceLiveClient(endpoint, credential);
 ```
 
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-eventgrid-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-eventgrid-dotnet/SKILL.md
index c68e8f18..3156848e 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-eventgrid-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-eventgrid-dotnet/SKILL.md
@@ -31,14 +31,12 @@ dotnet add package Microsoft.Azure.Messaging.EventGrid.CloudNativeCloudEvents
 ## Environment Variables
 
 ```bash
-# Topic/Domain endpoint
-EVENT_GRID_TOPIC_ENDPOINT=https://<topic-name>.<region>.eventgrid.azure.net/api/events
-EVENT_GRID_TOPIC_KEY=<access-key>
-
-# Namespace endpoint (for pull delivery)
-EVENT_GRID_NAMESPACE_ENDPOINT=https://<namespace>.<region>.eventgrid.azure.net
-EVENT_GRID_TOPIC_NAME=<topic-name>
-EVENT_GRID_SUBSCRIPTION_NAME=<subscription-name>
+EVENT_GRID_TOPIC_ENDPOINT=https://<topic-name>.<region>.eventgrid.azure.net/api/events  # Required: Event Grid topic or domain endpoint
+EVENT_GRID_TOPIC_KEY=<access-key>  # Only required for AzureKeyCredential auth
+EVENT_GRID_NAMESPACE_ENDPOINT=https://<namespace>.<region>.eventgrid.azure.net  # Optional: Event Grid namespace endpoint
+EVENT_GRID_TOPIC_NAME=<topic-name>  # Required: Event Grid topic name
+EVENT_GRID_SUBSCRIPTION_NAME=<subscription-name>  # Optional: Event Grid subscription name
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Client Hierarchy
@@ -74,15 +72,22 @@ EventGridPublisherClient client = new(
     new AzureKeyCredential("<access-key>"));
 ```
 
-### Microsoft Entra ID (Recommended)
+### Microsoft Entra Token Credential
 
 ```csharp
 using Azure.Identity;
 using Azure.Messaging.EventGrid;
 
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 EventGridPublisherClient client = new(
     new Uri("https://mytopic.eastus-1.eventgrid.azure.net/api/events"),
-    new DefaultAzureCredential());
+    credential);
 ```
 
 ### SAS Token Authentication
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-eventhub-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-eventhub-dotnet/SKILL.md
index 6720b813..11c2a856 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-eventhub-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-eventhub-dotnet/SKILL.md
@@ -34,15 +34,12 @@ dotnet add package Azure.Storage.Blobs
 ## Environment Variables
 
 ```bash
-EVENTHUB_FULLY_QUALIFIED_NAMESPACE=<namespace>.servicebus.windows.net
-EVENTHUB_NAME=<event-hub-name>
-
-# For checkpointing (EventProcessorClient)
-BLOB_STORAGE_CONNECTION_STRING=<storage-connection-string>
-BLOB_CONTAINER_NAME=<checkpoint-container>
-
-# Alternative: Connection string auth (not recommended for production)
-EVENTHUB_CONNECTION_STRING=Endpoint=sb://<namespace>.servicebus.windows.net/;SharedAccessKeyName=...
+EVENTHUB_FULLY_QUALIFIED_NAMESPACE=<namespace>.servicebus.windows.net  # Required: Event Hubs fully qualified namespace
+EVENTHUB_NAME=<event-hub-name>  # Required: Event Hub name
+BLOB_STORAGE_CONNECTION_STRING=<storage-connection-string>  # Alternative to Entra ID auth
+BLOB_CONTAINER_NAME=<checkpoint-container>  # Required: checkpoint container name
+EVENTHUB_CONNECTION_STRING=Endpoint=sb://<namespace>.servicebus.windows.net/;SharedAccessKeyName=...  # Alternative to Entra ID auth
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
@@ -52,8 +49,13 @@ using Azure.Identity;
 using Azure.Messaging.EventHubs;
 using Azure.Messaging.EventHubs.Producer;
 
-// Always use DefaultAzureCredential for production
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 
 var fullyQualifiedNamespace = Environment.GetEnvironmentVariable("EVENTHUB_FULLY_QUALIFIED_NAMESPACE");
 var eventHubName = Environment.GetEnvironmentVariable("EVENTHUB_NAME");
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-maps-search-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-maps-search-dotnet/SKILL.md
index bc370e7c..79897e10 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-maps-search-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-maps-search-dotnet/SKILL.md
@@ -48,8 +48,9 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_MAPS_SUBSCRIPTION_KEY=<your-subscription-key>
-AZURE_MAPS_CLIENT_ID=<your-client-id>  # For Entra ID auth
+AZURE_MAPS_SUBSCRIPTION_KEY=<your-subscription-key>  # Only required for AzureKeyCredential auth
+AZURE_MAPS_CLIENT_ID=<your-client-id>  # Required: Azure Maps client ID
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
@@ -66,13 +67,19 @@ var credential = new AzureKeyCredential(subscriptionKey);
 var client = new MapsSearchClient(credential);
 ```
 
-### Microsoft Entra ID (Recommended for Production)
+### Microsoft Entra Token Credential
 
 ```csharp
 using Azure.Identity;
 using Azure.Maps.Search;
 
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var clientId = Environment.GetEnvironmentVariable("AZURE_MAPS_CLIENT_ID");
 
 var client = new MapsSearchClient(credential, clientId);
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-apicenter-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-apicenter-dotnet/SKILL.md
index 291373e4..c67b575c 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-apicenter-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-apicenter-dotnet/SKILL.md
@@ -26,9 +26,10 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-AZURE_RESOURCE_GROUP=<your-resource-group>
-AZURE_APICENTER_SERVICE_NAME=<your-apicenter-service>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id>  # Required: Azure subscription ID
+AZURE_RESOURCE_GROUP=<your-resource-group>  # Required: resource group name
+AZURE_APICENTER_SERVICE_NAME=<your-apicenter-service>  # Required: API Center service name
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
@@ -38,7 +39,14 @@ using Azure.Identity;
 using Azure.ResourceManager;
 using Azure.ResourceManager.ApiCenter;
 
-ArmClient client = new ArmClient(new DefaultAzureCredential());
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
+ArmClient client = new ArmClient(credential);
 ```
 
 ## Resource Hierarchy
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-apimanagement-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-apimanagement-dotnet/SKILL.md
index d44fdbab..ed3fe2bf 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-apimanagement-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-apimanagement-dotnet/SKILL.md
@@ -29,11 +29,11 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-# For service principal auth (optional)
-AZURE_TENANT_ID=<tenant-id>
-AZURE_CLIENT_ID=<client-id>
-AZURE_CLIENT_SECRET=<client-secret>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id> # Required: Azure subscription ID
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
+AZURE_TENANT_ID=<tenant-id> # For service principal auth (optional)
+AZURE_CLIENT_ID=<client-id> # For service principal auth (optional)
+AZURE_CLIENT_SECRET=<client-secret> # For service principal auth (optional)
 ```
 
 ## Authentication
@@ -43,8 +43,13 @@ using Azure.Identity;
 using Azure.ResourceManager;
 using Azure.ResourceManager.ApiManagement;
 
-// Always use DefaultAzureCredential
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var armClient = new ArmClient(credential);
 
 // Get subscription
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-applicationinsights-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-applicationinsights-dotnet/SKILL.md
index b0f89c59..97279bfc 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-applicationinsights-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-applicationinsights-dotnet/SKILL.md
@@ -26,9 +26,10 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-AZURE_RESOURCE_GROUP=<your-resource-group>
-AZURE_APPINSIGHTS_NAME=<your-appinsights-component>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id> # Required: Azure subscription ID
+AZURE_RESOURCE_GROUP=<your-resource-group> # Required: Azure resource group name
+AZURE_APPINSIGHTS_NAME=<your-appinsights-component> # Required: Application Insights component name
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
@@ -38,7 +39,14 @@ using Azure.Identity;
 using Azure.ResourceManager;
 using Azure.ResourceManager.ApplicationInsights;
 
-ArmClient client = new ArmClient(new DefaultAzureCredential());
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
+ArmClient client = new ArmClient(credential);
 ```
 
 ## Resource Hierarchy
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-arizeaiobservabilityeval-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-arizeaiobservabilityeval-dotnet/SKILL.md
index 99728c6d..7a820d75 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-arizeaiobservabilityeval-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-arizeaiobservabilityeval-dotnet/SKILL.md
@@ -31,10 +31,11 @@ dotnet add package Azure.ResourceManager.ArizeAIObservabilityEval --version 1.0.
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-AZURE_TENANT_ID=<your-tenant-id>
-AZURE_CLIENT_ID=<your-client-id>
-AZURE_CLIENT_SECRET=<your-client-secret>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id> # Required: Azure subscription ID
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
+AZURE_TENANT_ID=<your-tenant-id> # For service principal auth (optional)
+AZURE_CLIENT_ID=<your-client-id> # For service principal auth (optional)
+AZURE_CLIENT_SECRET=<your-client-secret> # For service principal auth (optional)
 ```
 
 ## Authentication
@@ -44,8 +45,13 @@ using Azure.Identity;
 using Azure.ResourceManager;
 using Azure.ResourceManager.ArizeAIObservabilityEval;
 
-// Always use DefaultAzureCredential
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var armClient = new ArmClient(credential);
 ```
 
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-botservice-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-botservice-dotnet/SKILL.md
index c69143bd..8549e745 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-botservice-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-botservice-dotnet/SKILL.md
@@ -25,11 +25,11 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-# For service principal auth (optional)
-AZURE_TENANT_ID=<tenant-id>
-AZURE_CLIENT_ID=<client-id>
-AZURE_CLIENT_SECRET=<client-secret>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id> # Required: Azure subscription ID
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
+AZURE_TENANT_ID=<tenant-id> # For service principal auth (optional)
+AZURE_CLIENT_ID=<client-id> # For service principal auth (optional)
+AZURE_CLIENT_SECRET=<client-secret> # For service principal auth (optional)
 ```
 
 ## Authentication
@@ -39,8 +39,13 @@ using Azure.Identity;
 using Azure.ResourceManager;
 using Azure.ResourceManager.BotService;
 
-// Authenticate using DefaultAzureCredential
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 ArmClient armClient = new ArmClient(credential);
 
 // Get subscription and resource group
@@ -290,7 +295,7 @@ await bot.DeleteAsync(WaitUntil.Completed);
 
 ## Best Practices
 
-1. **Always use `DefaultAzureCredential`** — supports multiple auth methods
+1. **Use `DefaultAzureCredential`** — supports multiple auth methods
 2. **Use `WaitUntil.Completed`** for synchronous operations
 3. **Handle `RequestFailedException`** for API errors
 4. **Use async methods** (`*Async`) for all operations
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-fabric-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-fabric-dotnet/SKILL.md
index a0b7eb9d..19e5a391 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-fabric-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-fabric-dotnet/SKILL.md
@@ -30,11 +30,11 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-# For service principal auth (optional)
-AZURE_TENANT_ID=<tenant-id>
-AZURE_CLIENT_ID=<client-id>
-AZURE_CLIENT_SECRET=<client-secret>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id> # Required: Azure subscription ID
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
+AZURE_TENANT_ID=<tenant-id> # For service principal auth (optional)
+AZURE_CLIENT_ID=<client-id> # For service principal auth (optional)
+AZURE_CLIENT_SECRET=<client-secret> # For service principal auth (optional)
 ```
 
 ## Authentication
@@ -44,8 +44,13 @@ using Azure.Identity;
 using Azure.ResourceManager;
 using Azure.ResourceManager.Fabric;
 
-// Always use DefaultAzureCredential
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var armClient = new ArmClient(credential);
 
 // Get subscription
@@ -281,7 +286,7 @@ await foreach (var skuDetails in capacity.Value.GetSkusForCapacityAsync())
 
 1. **Use `WaitUntil.Completed`** for operations that must finish before proceeding
 2. **Use `WaitUntil.Started`** when you want to poll manually or run operations in parallel
-3. **Always use `DefaultAzureCredential`** — never hardcode credentials
+3. **Use `DefaultAzureCredential`** — never hardcode credentials
 4. **Handle `RequestFailedException`** for ARM API errors
 5. **Use `CreateOrUpdateAsync`** for idempotent operations
 6. **Suspend when not in use** — Fabric capacities bill for compute even when idle
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-mongodbatlas-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-mongodbatlas-dotnet/SKILL.md
index 15168dd1..05bdac1c 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-mongodbatlas-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-mongodbatlas-dotnet/SKILL.md
@@ -40,6 +40,17 @@ This SDK manages **MongoDB Atlas Organizations as Azure ARM resources** for mark
 
 For cluster management, use the MongoDB Atlas API directly after creating the organization.
 
+## Environment Variables
+
+```bash
+AZURE_SUBSCRIPTION_ID=<your-subscription-id> # Required: Azure subscription ID
+AZURE_RESOURCE_GROUP=<your-resource-group> # Required: Azure resource group name
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
+AZURE_TENANT_ID=<your-tenant-id> # For service principal auth (optional)
+AZURE_CLIENT_ID=<your-client-id> # For service principal auth (optional)
+AZURE_CLIENT_SECRET=<your-client-secret> # For service principal auth (optional)
+```
+
 ## Authentication
 
 ```csharp
@@ -48,8 +59,13 @@ using Azure.ResourceManager;
 using Azure.ResourceManager.MongoDBAtlas;
 using Azure.ResourceManager.MongoDBAtlas.Models;
 
-// Create ARM client with DefaultAzureCredential
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var armClient = new ArmClient(credential);
 ```
 
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-weightsandbiases-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-weightsandbiases-dotnet/SKILL.md
index aed71abb..07adf059 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-weightsandbiases-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-mgmt-weightsandbiases-dotnet/SKILL.md
@@ -26,9 +26,10 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-AZURE_RESOURCE_GROUP=<your-resource-group>
-AZURE_WANDB_INSTANCE_NAME=<your-wandb-instance>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id> # Required: Azure subscription ID
+AZURE_RESOURCE_GROUP=<your-resource-group> # Required: Azure resource group name
+AZURE_WANDB_INSTANCE_NAME=<your-wandb-instance> # Required: Weights & Biases instance name
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
@@ -38,7 +39,14 @@ using Azure.Identity;
 using Azure.ResourceManager;
 using Azure.ResourceManager.WeightsAndBiases;
 
-ArmClient client = new ArmClient(new DefaultAzureCredential());
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
+ArmClient client = new ArmClient(credential);
 ```
 
 ## Resource Hierarchy
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-cosmosdb-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-cosmosdb-dotnet/SKILL.md
index 01f276b2..3318c273 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-cosmosdb-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-cosmosdb-dotnet/SKILL.md
@@ -29,11 +29,11 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-# For service principal auth (optional)
-AZURE_TENANT_ID=<tenant-id>
-AZURE_CLIENT_ID=<client-id>
-AZURE_CLIENT_SECRET=<client-secret>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id> # Required: Azure subscription ID
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
+AZURE_TENANT_ID=<tenant-id> # For service principal auth (optional)
+AZURE_CLIENT_ID=<client-id> # For service principal auth (optional)
+AZURE_CLIENT_SECRET=<client-secret> # For service principal auth (optional)
 ```
 
 ## Authentication
@@ -43,8 +43,13 @@ using Azure.Identity;
 using Azure.ResourceManager;
 using Azure.ResourceManager.CosmosDB;
 
-// Always use DefaultAzureCredential
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var armClient = new ArmClient(credential);
 
 // Get subscription
@@ -213,7 +218,7 @@ foreach (var cs in connectionStrings.Value.ConnectionStrings)
 
 1. **Use `WaitUntil.Completed`** for operations that must finish before proceeding
 2. **Use `WaitUntil.Started`** when you want to poll manually or run operations in parallel
-3. **Always use `DefaultAzureCredential`** — never hardcode keys
+3. **Use `DefaultAzureCredential`** — never hardcode keys
 4. **Handle `RequestFailedException`** for ARM API errors
 5. **Use `CreateOrUpdateAsync`** for idempotent operations
 6. **Navigate hierarchy** via `Get*` methods (e.g., `account.GetCosmosDBSqlDatabases()`)
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-durabletask-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-durabletask-dotnet/SKILL.md
index 27820784..79e685dc 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-durabletask-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-durabletask-dotnet/SKILL.md
@@ -30,12 +30,12 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-AZURE_RESOURCE_GROUP=<your-resource-group>
-# For service principal auth (optional)
-AZURE_TENANT_ID=<tenant-id>
-AZURE_CLIENT_ID=<client-id>
-AZURE_CLIENT_SECRET=<client-secret>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id> # Required: Azure subscription ID
+AZURE_RESOURCE_GROUP=<your-resource-group> # Required: Azure resource group name
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
+AZURE_TENANT_ID=<tenant-id> # For service principal auth (optional)
+AZURE_CLIENT_ID=<client-id> # For service principal auth (optional)
+AZURE_CLIENT_SECRET=<client-secret> # For service principal auth (optional)
 ```
 
 ## Authentication
@@ -45,8 +45,13 @@ using Azure.Identity;
 using Azure.ResourceManager;
 using Azure.ResourceManager.DurableTask;
 
-// Always use DefaultAzureCredential
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var armClient = new ArmClient(credential);
 
 // Get subscription
@@ -282,7 +287,7 @@ armClient.GetDurableTaskHubResource(id);           // Get task hub by ID
 
 1. **Use `WaitUntil.Completed`** for operations that must finish before proceeding
 2. **Use `WaitUntil.Started`** when you want to poll manually or run operations in parallel
-3. **Always use `DefaultAzureCredential`** — never hardcode keys
+3. **Use `DefaultAzureCredential`** — never hardcode keys
 4. **Handle `RequestFailedException`** for ARM API errors
 5. **Use `CreateOrUpdateAsync`** for idempotent operations
 6. **Delete task hubs before schedulers** — schedulers with task hubs cannot be deleted
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-mysql-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-mysql-dotnet/SKILL.md
index 7ab4216a..0be21fef 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-mysql-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-mysql-dotnet/SKILL.md
@@ -28,9 +28,10 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-AZURE_RESOURCE_GROUP=<your-resource-group>
-AZURE_MYSQL_SERVER_NAME=<your-mysql-server>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id>  # Required: Azure subscription ID
+AZURE_RESOURCE_GROUP=<your-resource-group>  # Required: resource group name
+AZURE_MYSQL_SERVER_NAME=<your-mysql-server>  # Required: MySQL Flexible Server name
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
@@ -41,7 +42,14 @@ using Azure.ResourceManager;
 using Azure.ResourceManager.MySql;
 using Azure.ResourceManager.MySql.FlexibleServers;
 
-ArmClient client = new ArmClient(new DefaultAzureCredential());
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
+ArmClient client = new ArmClient(credential);
 ```
 
 ## Resource Hierarchy
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-playwright-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-playwright-dotnet/SKILL.md
index 140be6b7..f213a2ef 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-playwright-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-playwright-dotnet/SKILL.md
@@ -29,11 +29,11 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-# For service principal auth (optional)
-AZURE_TENANT_ID=<tenant-id>
-AZURE_CLIENT_ID=<client-id>
-AZURE_CLIENT_SECRET=<client-secret>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id>  # Required: Azure subscription ID
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
+AZURE_TENANT_ID=<tenant-id>  # For service principal auth (optional)
+AZURE_CLIENT_ID=<client-id>  # For service principal auth (optional)
+AZURE_CLIENT_SECRET=<client-secret>  # For service principal auth (optional)
 ```
 
 ## Authentication
@@ -43,8 +43,13 @@ using Azure.Identity;
 using Azure.ResourceManager;
 using Azure.ResourceManager.Playwright;
 
-// Always use DefaultAzureCredential
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var armClient = new ArmClient(credential);
 
 // Get subscription
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-postgresql-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-postgresql-dotnet/SKILL.md
index 28bdcc32..05ba9fa8 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-postgresql-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-postgresql-dotnet/SKILL.md
@@ -28,9 +28,10 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-AZURE_RESOURCE_GROUP=<your-resource-group>
-AZURE_POSTGRESQL_SERVER_NAME=<your-postgresql-server>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id>  # Required: Azure subscription ID
+AZURE_RESOURCE_GROUP=<your-resource-group>  # Required: resource group name
+AZURE_POSTGRESQL_SERVER_NAME=<your-postgresql-server>  # Required: PostgreSQL Flexible Server name
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
@@ -41,7 +42,14 @@ using Azure.ResourceManager;
 using Azure.ResourceManager.PostgreSql;
 using Azure.ResourceManager.PostgreSql.FlexibleServers;
 
-ArmClient client = new ArmClient(new DefaultAzureCredential());
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
+ArmClient client = new ArmClient(credential);
 ```
 
 ## Resource Hierarchy
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-redis-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-redis-dotnet/SKILL.md
index 50e3c920..339db649 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-redis-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-redis-dotnet/SKILL.md
@@ -31,11 +31,11 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-# For service principal auth (optional)
-AZURE_TENANT_ID=<tenant-id>
-AZURE_CLIENT_ID=<client-id>
-AZURE_CLIENT_SECRET=<client-secret>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id>  # Required: Azure subscription ID
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
+AZURE_TENANT_ID=<tenant-id>  # For service principal auth (optional)
+AZURE_CLIENT_ID=<client-id>  # For service principal auth (optional)
+AZURE_CLIENT_SECRET=<client-secret>  # For service principal auth (optional)
 ```
 
 ## Authentication
@@ -45,8 +45,13 @@ using Azure.Identity;
 using Azure.ResourceManager;
 using Azure.ResourceManager.Redis;
 
-// Always use DefaultAzureCredential
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var armClient = new ArmClient(credential);
 
 // Get subscription
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-sql-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-sql-dotnet/SKILL.md
index 3df23883..6eff0904 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-sql-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-resource-manager-sql-dotnet/SKILL.md
@@ -29,11 +29,11 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SUBSCRIPTION_ID=<your-subscription-id>
-# For service principal auth (optional)
-AZURE_TENANT_ID=<tenant-id>
-AZURE_CLIENT_ID=<client-id>
-AZURE_CLIENT_SECRET=<client-secret>
+AZURE_SUBSCRIPTION_ID=<your-subscription-id>  # Required: Azure subscription ID
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
+AZURE_TENANT_ID=<tenant-id>  # For service principal auth (optional)
+AZURE_CLIENT_ID=<client-id>  # For service principal auth (optional)
+AZURE_CLIENT_SECRET=<client-secret>  # For service principal auth (optional)
 ```
 
 ## Authentication
@@ -43,8 +43,13 @@ using Azure.Identity;
 using Azure.ResourceManager;
 using Azure.ResourceManager.Sql;
 
-// Always use DefaultAzureCredential
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var armClient = new ArmClient(credential);
 
 // Get subscription
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-search-documents-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-search-documents-dotnet/SKILL.md
index ca0066d1..074a1981 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-search-documents-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-search-documents-dotnet/SKILL.md
@@ -25,20 +25,26 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-SEARCH_ENDPOINT=https://<search-service>.search.windows.net
-SEARCH_INDEX_NAME=<index-name>
-# For API key auth (not recommended for production)
-SEARCH_API_KEY=<api-key>
+SEARCH_ENDPOINT=https://<search-service>.search.windows.net  # Required: search service endpoint
+SEARCH_INDEX_NAME=<index-name>  # Required: search index name
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
+SEARCH_API_KEY=<api-key>  # Only required for AzureKeyCredential auth
 ```
 
 ## Authentication
 
-**DefaultAzureCredential (preferred)**:
+**Microsoft Entra Token Credential**:
 ```csharp
 using Azure.Identity;
 using Azure.Search.Documents;
 
-var credential = new DefaultAzureCredential();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var client = new SearchClient(
     new Uri(Environment.GetEnvironmentVariable("SEARCH_ENDPOINT")),
     Environment.GetEnvironmentVariable("SEARCH_INDEX_NAME"),
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-security-keyvault-keys-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-security-keyvault-keys-dotnet/SKILL.md
index 19420cda..c9ca1f87 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-security-keyvault-keys-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-security-keyvault-keys-dotnet/SKILL.md
@@ -25,9 +25,9 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-KEY_VAULT_NAME=<your-key-vault-name>
-# Or full URI
-AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net
+KEY_VAULT_NAME=<your-key-vault-name>  # Required: Key Vault name
+AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net  # Optional: full Key Vault URL
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Client Hierarchy
@@ -53,7 +53,7 @@ KeyResolver (key resolution)
 
 ## Authentication
 
-### DefaultAzureCredential (Recommended)
+### Microsoft Entra Token Credential
 
 ```csharp
 using Azure.Identity;
@@ -62,7 +62,14 @@ using Azure.Security.KeyVault.Keys;
 var keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
 var kvUri = $"https://{keyVaultName}.vault.azure.net";
 
-var client = new KeyClient(new Uri(kvUri), new DefaultAzureCredential());
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
+var client = new KeyClient(new Uri(kvUri), credential);
 ```
 
 ### Service Principal
diff --git a/.github/plugins/azure-sdk-dotnet/skills/azure-servicebus-dotnet/SKILL.md b/.github/plugins/azure-sdk-dotnet/skills/azure-servicebus-dotnet/SKILL.md
index 28db708e..00c292ca 100644
--- a/.github/plugins/azure-sdk-dotnet/skills/azure-servicebus-dotnet/SKILL.md
+++ b/.github/plugins/azure-sdk-dotnet/skills/azure-servicebus-dotnet/SKILL.md
@@ -25,21 +25,28 @@ dotnet add package Azure.Identity
 ## Environment Variables
 
 ```bash
-AZURE_SERVICEBUS_FULLY_QUALIFIED_NAMESPACE=<namespace>.servicebus.windows.net
-# Or connection string (less secure)
-AZURE_SERVICEBUS_CONNECTION_STRING=Endpoint=sb://...
+AZURE_SERVICEBUS_FULLY_QUALIFIED_NAMESPACE=<namespace>.servicebus.windows.net  # Required: Service Bus fully qualified namespace
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
+AZURE_SERVICEBUS_CONNECTION_STRING=Endpoint=sb://...  # Alternative to Entra ID auth
 ```
 
 ## Authentication
 
-### Microsoft Entra ID (Recommended)
+### Microsoft Entra Token Credential
 
 ```csharp
 using Azure.Identity;
 using Azure.Messaging.ServiceBus;
 
 string fullyQualifiedNamespace = "<namespace>.servicebus.windows.net";
-await using ServiceBusClient client = new(fullyQualifiedNamespace, new DefaultAzureCredential());
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
+await using ServiceBusClient client = new(fullyQualifiedNamespace, credential);
 ```
 
 ### Connection String
diff --git a/.github/plugins/azure-sdk-java/skills/azure-ai-agents-persistent-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-ai-agents-persistent-java/SKILL.md
index 42274344..63450441 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-ai-agents-persistent-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-ai-agents-persistent-java/SKILL.md
@@ -27,8 +27,9 @@ Low-level SDK for creating and managing persistent AI agents with threads, messa
 ## Environment Variables
 
 ```bash
-PROJECT_ENDPOINT=https://<resource>.services.ai.azure.com/api/projects/<project>
-MODEL_DEPLOYMENT_NAME=gpt-4o-mini
+PROJECT_ENDPOINT=https://<resource>.services.ai.azure.com/api/projects/<project> # Required for project configuration
+MODEL_DEPLOYMENT_NAME=gpt-4o-mini # Required for agent model selection
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
@@ -36,12 +37,22 @@ MODEL_DEPLOYMENT_NAME=gpt-4o-mini
 ```java
 import com.azure.ai.agents.persistent.PersistentAgentsClient;
 import com.azure.ai.agents.persistent.PersistentAgentsClientBuilder;
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
 
 String endpoint = System.getenv("PROJECT_ENDPOINT");
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
+
 PersistentAgentsClient client = new PersistentAgentsClientBuilder()
     .endpoint(endpoint)
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 ```
 
diff --git a/.github/plugins/azure-sdk-java/skills/azure-ai-anomalydetector-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-ai-anomalydetector-java/SKILL.md
index 7513bc84..1720bde7 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-ai-anomalydetector-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-ai-anomalydetector-java/SKILL.md
@@ -51,10 +51,20 @@ UnivariateClient univariateClient = new AnomalyDetectorClientBuilder()
 ### With DefaultAzureCredential
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 MultivariateClient client = new AnomalyDetectorClientBuilder()
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .endpoint(endpoint)
     .buildMultivariateClient();
 ```
@@ -237,8 +247,9 @@ try {
 ## Environment Variables
 
 ```bash
-AZURE_ANOMALY_DETECTOR_ENDPOINT=https://<resource>.cognitiveservices.azure.com/
-AZURE_ANOMALY_DETECTOR_API_KEY=<your-api-key>
+AZURE_ANOMALY_DETECTOR_ENDPOINT=https://<resource>.cognitiveservices.azure.com/ # Required for all auth methods
+AZURE_ANOMALY_DETECTOR_API_KEY=<your-api-key> # Only required for AzureKeyCredential auth
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Best Practices
diff --git a/.github/plugins/azure-sdk-java/skills/azure-ai-contentsafety-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-ai-contentsafety-java/SKILL.md
index 77731041..d9a4e8f1 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-ai-contentsafety-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-ai-contentsafety-java/SKILL.md
@@ -50,10 +50,20 @@ BlocklistClient blocklistClient = new BlocklistClientBuilder()
 ### With DefaultAzureCredential
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 ContentSafetyClient client = new ContentSafetyClientBuilder()
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .endpoint(endpoint)
     .buildClient();
 ```
@@ -263,8 +273,9 @@ try {
 ## Environment Variables
 
 ```bash
-CONTENT_SAFETY_ENDPOINT=https://<resource>.cognitiveservices.azure.com/
-CONTENT_SAFETY_KEY=<your-api-key>
+CONTENT_SAFETY_ENDPOINT=https://<resource>.cognitiveservices.azure.com/ # Required for all auth methods
+CONTENT_SAFETY_KEY=<your-api-key> # Only required for AzureKeyCredential auth
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Best Practices
diff --git a/.github/plugins/azure-sdk-java/skills/azure-ai-formrecognizer-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-ai-formrecognizer-java/SKILL.md
index 58505369..9ebbe267 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-ai-formrecognizer-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-ai-formrecognizer-java/SKILL.md
@@ -39,7 +39,8 @@ Search `microsoft-docs` MCP for current API patterns:
 ## Environment Variables
 
 ```bash
-DOCUMENT_INTELLIGENCE_ENDPOINT=https://<resource>.cognitiveservices.azure.com/
+DOCUMENT_INTELLIGENCE_ENDPOINT=https://<resource>.cognitiveservices.azure.com/ # Required for all auth methods
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
@@ -49,11 +50,21 @@ DOCUMENT_INTELLIGENCE_ENDPOINT=https://<resource>.cognitiveservices.azure.com/
 ```java
 import com.azure.ai.documentintelligence.DocumentIntelligenceClient;
 import com.azure.ai.documentintelligence.DocumentIntelligenceClientBuilder;
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 DocumentIntelligenceClient client = new DocumentIntelligenceClientBuilder()
     .endpoint(System.getenv("DOCUMENT_INTELLIGENCE_ENDPOINT"))
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 ```
 
@@ -73,10 +84,21 @@ DocumentIntelligenceClient client = new DocumentIntelligenceClientBuilder()
 ```java
 import com.azure.ai.documentintelligence.DocumentIntelligenceAdministrationClient;
 import com.azure.ai.documentintelligence.DocumentIntelligenceAdministrationClientBuilder;
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
+import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 DocumentIntelligenceAdministrationClient adminClient = new DocumentIntelligenceAdministrationClientBuilder()
     .endpoint(System.getenv("DOCUMENT_INTELLIGENCE_ENDPOINT"))
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 ```
 
@@ -84,10 +106,21 @@ DocumentIntelligenceAdministrationClient adminClient = new DocumentIntelligenceA
 
 ```java
 import com.azure.ai.documentintelligence.DocumentIntelligenceAsyncClient;
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
+import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 DocumentIntelligenceAsyncClient asyncClient = new DocumentIntelligenceClientBuilder()
     .endpoint(System.getenv("DOCUMENT_INTELLIGENCE_ENDPOINT"))
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildAsyncClient();
 ```
 
diff --git a/.github/plugins/azure-sdk-java/skills/azure-ai-projects-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-ai-projects-java/SKILL.md
index e1071aae..a28cc004 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-ai-projects-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-ai-projects-java/SKILL.md
@@ -27,18 +27,29 @@ High-level SDK for Azure AI Foundry project management with access to connection
 ## Environment Variables
 
 ```bash
-PROJECT_ENDPOINT=https://<resource>.services.ai.azure.com/api/projects/<project>
+PROJECT_ENDPOINT=https://<resource>.services.ai.azure.com/api/projects/<project> # Required for project configuration
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
 
 ```java
 import com.azure.ai.projects.AIProjectClientBuilder;
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 AIProjectClientBuilder builder = new AIProjectClientBuilder()
     .endpoint(System.getenv("PROJECT_ENDPOINT"))
-    .credential(new DefaultAzureCredentialBuilder().build());
+    .credential(credential);
 ```
 
 ## Client Hierarchy
diff --git a/.github/plugins/azure-sdk-java/skills/azure-ai-vision-imageanalysis-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-ai-vision-imageanalysis-java/SKILL.md
index e859fbc8..5ec2d2d5 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-ai-vision-imageanalysis-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-ai-vision-imageanalysis-java/SKILL.md
@@ -54,11 +54,21 @@ ImageAnalysisAsyncClient asyncClient = new ImageAnalysisClientBuilder()
 ### With DefaultAzureCredential
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 ImageAnalysisClient client = new ImageAnalysisClientBuilder()
     .endpoint(endpoint)
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 ```
 
@@ -268,8 +278,9 @@ try {
 ## Environment Variables
 
 ```bash
-VISION_ENDPOINT=https://<resource>.cognitiveservices.azure.com/
-VISION_KEY=<your-api-key>
+VISION_ENDPOINT=https://<resource>.cognitiveservices.azure.com/ # Required for all auth methods
+VISION_KEY=<your-api-key> # Only required for AzureKeyCredential auth
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Image Requirements
diff --git a/.github/plugins/azure-sdk-java/skills/azure-ai-voicelive-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-ai-voicelive-java/SKILL.md
index 4c4a2d9f..584b13e1 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-ai-voicelive-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-ai-voicelive-java/SKILL.md
@@ -27,8 +27,9 @@ Real-time, bidirectional voice conversations with AI assistants using WebSocket
 ## Environment Variables
 
 ```bash
-AZURE_VOICELIVE_ENDPOINT=https://<resource>.openai.azure.com/
-AZURE_VOICELIVE_API_KEY=<your-api-key>
+AZURE_VOICELIVE_ENDPOINT=https://<resource>.openai.azure.com/ # Required for all auth methods
+AZURE_VOICELIVE_API_KEY=<your-api-key> # Only required for AzureKeyCredential auth
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Authentication
@@ -49,11 +50,21 @@ VoiceLiveAsyncClient client = new VoiceLiveClientBuilder()
 ### DefaultAzureCredential (Recommended)
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 VoiceLiveAsyncClient client = new VoiceLiveClientBuilder()
     .endpoint(System.getenv("AZURE_VOICELIVE_ENDPOINT"))
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildAsyncClient();
 ```
 
diff --git a/.github/plugins/azure-sdk-java/skills/azure-appconfiguration-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-appconfiguration-java/SKILL.md
index 9b2f44ff..a27cd032 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-appconfiguration-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-appconfiguration-java/SKILL.md
@@ -55,8 +55,9 @@ Or use Azure SDK BOM:
 ## Environment Variables
 
 ```bash
-AZURE_APPCONFIG_CONNECTION_STRING=Endpoint=https://<store>.azconfig.io;Id=<id>;Secret=<secret>
-AZURE_APPCONFIG_ENDPOINT=https://<store>.azconfig.io
+AZURE_APPCONFIG_CONNECTION_STRING=Endpoint=https://<store>.azconfig.io;Id=<id>;Secret=<secret>  # Alternative to Entra ID auth
+AZURE_APPCONFIG_ENDPOINT=https://<store>.azconfig.io  # Required for all auth methods
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Client Creation
@@ -85,10 +86,21 @@ ConfigurationAsyncClient asyncClient = new ConfigurationClientBuilder()
 ### With Entra ID (Recommended)
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 ConfigurationClient configClient = new ConfigurationClientBuilder()
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .endpoint(System.getenv("AZURE_APPCONFIG_ENDPOINT"))
     .buildClient();
 ```
diff --git a/.github/plugins/azure-sdk-java/skills/azure-communication-callautomation-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-communication-callautomation-java/SKILL.md
index 586b184d..75b1857c 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-communication-callautomation-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-communication-callautomation-java/SKILL.md
@@ -27,12 +27,23 @@ Build server-side call automation workflows including IVR systems, call routing,
 ```java
 import com.azure.communication.callautomation.CallAutomationClient;
 import com.azure.communication.callautomation.CallAutomationClientBuilder;
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 // With DefaultAzureCredential
 CallAutomationClient client = new CallAutomationClientBuilder()
     .endpoint("https://<resource>.communication.azure.com")
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 
 // With connection string
@@ -244,9 +255,10 @@ try {
 ## Environment Variables
 
 ```bash
-AZURE_COMMUNICATION_ENDPOINT=https://<resource>.communication.azure.com
-AZURE_COMMUNICATION_CONNECTION_STRING=endpoint=https://...;accesskey=...
-CALLBACK_BASE_URL=https://your-app.com/api/callbacks
+AZURE_COMMUNICATION_ENDPOINT=https://<resource>.communication.azure.com  # Required for all auth methods
+AZURE_COMMUNICATION_CONNECTION_STRING=endpoint=https://...;accesskey=...  # Alternative to Entra ID auth
+CALLBACK_BASE_URL=https://your-app.com/api/callbacks  # Required for webhook callbacks
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Trigger Phrases
diff --git a/.github/plugins/azure-sdk-java/skills/azure-communication-sms-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-communication-sms-java/SKILL.md
index ec2b920a..d2dfd505 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-communication-sms-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-communication-sms-java/SKILL.md
@@ -27,12 +27,23 @@ Send SMS messages to single or multiple recipients with delivery reporting.
 ```java
 import com.azure.communication.sms.SmsClient;
 import com.azure.communication.sms.SmsClientBuilder;
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 // With DefaultAzureCredential (recommended)
 SmsClient smsClient = new SmsClientBuilder()
     .endpoint("https://<resource>.communication.azure.com")
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 
 // With connection string
@@ -257,9 +268,10 @@ public void handleDeliveryReport(String eventJson) {
 ## Environment Variables
 
 ```bash
-AZURE_COMMUNICATION_ENDPOINT=https://<resource>.communication.azure.com
-AZURE_COMMUNICATION_CONNECTION_STRING=endpoint=https://...;accesskey=...
-SMS_FROM_NUMBER=+14255550100
+AZURE_COMMUNICATION_ENDPOINT=https://<resource>.communication.azure.com  # Required for all auth methods
+AZURE_COMMUNICATION_CONNECTION_STRING=endpoint=https://...;accesskey=...  # Alternative to Entra ID auth
+SMS_FROM_NUMBER=+14255550100  # Required for the sender phone number
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Best Practices
diff --git a/.github/plugins/azure-sdk-java/skills/azure-compute-batch-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-compute-batch-java/SKILL.md
index ae07638d..5fc31081 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-compute-batch-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-compute-batch-java/SKILL.md
@@ -32,9 +32,10 @@ Client library for running large-scale parallel and high-performance computing (
 ## Environment Variables
 
 ```bash
-AZURE_BATCH_ENDPOINT=https://<account>.<region>.batch.azure.com
-AZURE_BATCH_ACCOUNT=<account-name>
-AZURE_BATCH_ACCESS_KEY=<account-key>
+AZURE_BATCH_ENDPOINT=https://<account>.<region>.batch.azure.com  # Required for all auth methods
+AZURE_BATCH_ACCOUNT=<account-name>  # Only required for shared key auth
+AZURE_BATCH_ACCESS_KEY=<account-key>  # Only required for shared key auth
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Client Creation
@@ -44,10 +45,21 @@ AZURE_BATCH_ACCESS_KEY=<account-key>
 ```java
 import com.azure.compute.batch.BatchClient;
 import com.azure.compute.batch.BatchClientBuilder;
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 BatchClient batchClient = new BatchClientBuilder()
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .endpoint(System.getenv("AZURE_BATCH_ENDPOINT"))
     .buildClient();
 ```
@@ -58,7 +70,7 @@ BatchClient batchClient = new BatchClientBuilder()
 import com.azure.compute.batch.BatchAsyncClient;
 
 BatchAsyncClient batchAsyncClient = new BatchClientBuilder()
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .endpoint(System.getenv("AZURE_BATCH_ENDPOINT"))
     .buildAsyncClient();
 ```
diff --git a/.github/plugins/azure-sdk-java/skills/azure-data-tables-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-data-tables-java/SKILL.md
index 75b159b6..0fbad66b 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-data-tables-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-data-tables-java/SKILL.md
@@ -63,11 +63,22 @@ TableServiceClient serviceClient = new TableServiceClientBuilder()
 ### With DefaultAzureCredential (Storage only)
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 TableServiceClient serviceClient = new TableServiceClientBuilder()
     .endpoint("<your-table-account-url>")
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 ```
 
@@ -313,11 +324,12 @@ try {
 
 ```bash
 # Storage Account
-AZURE_TABLES_CONNECTION_STRING=DefaultEndpointsProtocol=https;AccountName=...
-AZURE_TABLES_ENDPOINT=https://<account>.table.core.windows.net
+AZURE_TABLES_CONNECTION_STRING=DefaultEndpointsProtocol=https;AccountName=...  # Alternative to Entra ID auth
+AZURE_TABLES_ENDPOINT=https://<account>.table.core.windows.net  # Required for all auth methods
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 
 # Cosmos DB Table API
-COSMOS_TABLE_ENDPOINT=https://<account>.table.cosmosdb.azure.com
+COSMOS_TABLE_ENDPOINT=https://<account>.table.cosmosdb.azure.com  # Alternative endpoint for Cosmos DB Table API
 ```
 
 ## Best Practices
diff --git a/.github/plugins/azure-sdk-java/skills/azure-eventgrid-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-eventgrid-java/SKILL.md
index 45e1bc2d..75586f26 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-eventgrid-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-eventgrid-java/SKILL.md
@@ -47,11 +47,22 @@ EventGridPublisherClient<CloudEvent> cloudClient = new EventGridPublisherClientB
 ### With DefaultAzureCredential
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 EventGridPublisherClient<EventGridEvent> client = new EventGridPublisherClientBuilder()
     .endpoint("<topic-endpoint>")
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildEventGridEventPublisherClient();
 ```
 
@@ -287,8 +298,9 @@ try {
 ## Environment Variables
 
 ```bash
-EVENT_GRID_TOPIC_ENDPOINT=https://<topic-name>.<region>.eventgrid.azure.net/api/events
-EVENT_GRID_ACCESS_KEY=<your-access-key>
+EVENT_GRID_TOPIC_ENDPOINT=https://<topic-name>.<region>.eventgrid.azure.net/api/events  # Required for all auth methods
+EVENT_GRID_ACCESS_KEY=<your-access-key>  # Only required for AzureKeyCredential auth
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Best Practices
diff --git a/.github/plugins/azure-sdk-java/skills/azure-eventhub-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-eventhub-java/SKILL.md
index bbf2b76f..9399c5d6 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-eventhub-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-eventhub-java/SKILL.md
@@ -51,12 +51,23 @@ EventHubProducerClient producer = new EventHubClientBuilder()
 ### With DefaultAzureCredential
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 EventHubProducerClient producer = new EventHubClientBuilder()
     .fullyQualifiedNamespace("<namespace>.servicebus.windows.net")
     .eventHubName("<event-hub-name>")
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildProducerClient();
 ```
 
@@ -336,9 +347,10 @@ try (EventHubProducerClient producer = new EventHubClientBuilder()
 ## Environment Variables
 
 ```bash
-EVENT_HUBS_CONNECTION_STRING=Endpoint=sb://<namespace>.servicebus.windows.net/;SharedAccessKeyName=...
-EVENT_HUBS_NAME=<event-hub-name>
-STORAGE_CONNECTION_STRING=<for-checkpointing>
+EVENT_HUBS_CONNECTION_STRING=Endpoint=sb://<namespace>.servicebus.windows.net/;SharedAccessKeyName=...  # Alternative to Entra ID auth
+EVENT_HUBS_NAME=<event-hub-name>  # Required for event hub name
+STORAGE_CONNECTION_STRING=<for-checkpointing>  # Alternative to Entra ID auth for checkpointing
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Best Practices
diff --git a/.github/plugins/azure-sdk-java/skills/azure-messaging-webpubsub-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-messaging-webpubsub-java/SKILL.md
index 0a2af238..b8b8a3fe 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-messaging-webpubsub-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-messaging-webpubsub-java/SKILL.md
@@ -51,10 +51,21 @@ WebPubSubServiceClient client = new WebPubSubServiceClientBuilder()
 ### With DefaultAzureCredential
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 WebPubSubServiceClient client = new WebPubSubServiceClientBuilder()
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .endpoint("<endpoint>")
     .hub("chat")
     .buildClient();
@@ -273,9 +284,10 @@ try {
 ## Environment Variables
 
 ```bash
-WEB_PUBSUB_CONNECTION_STRING=Endpoint=https://<resource>.webpubsub.azure.com;AccessKey=...
-WEB_PUBSUB_ENDPOINT=https://<resource>.webpubsub.azure.com
-WEB_PUBSUB_ACCESS_KEY=<your-access-key>
+WEB_PUBSUB_CONNECTION_STRING=Endpoint=https://<resource>.webpubsub.azure.com;AccessKey=...  # Alternative to Entra ID auth
+WEB_PUBSUB_ENDPOINT=https://<resource>.webpubsub.azure.com  # Required for AzureKeyCredential or TokenCredential auth
+WEB_PUBSUB_ACCESS_KEY=<your-access-key>  # Only required for AzureKeyCredential auth
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Client Roles
diff --git a/.github/plugins/azure-sdk-java/skills/azure-monitor-ingestion-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-monitor-ingestion-java/SKILL.md
index 20603db3..fdafd0a6 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-monitor-ingestion-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-monitor-ingestion-java/SKILL.md
@@ -57,9 +57,10 @@ Or use Azure SDK BOM:
 ## Environment Variables
 
 ```bash
-DATA_COLLECTION_ENDPOINT=https://<dce-name>.<region>.ingest.monitor.azure.com
-DATA_COLLECTION_RULE_ID=dcr-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-STREAM_NAME=Custom-MyTable_CL
+DATA_COLLECTION_ENDPOINT=https://<dce-name>.<region>.ingest.monitor.azure.com  # Required for all auth methods
+DATA_COLLECTION_RULE_ID=dcr-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  # Required for log upload routing
+STREAM_NAME=Custom-MyTable_CL  # Required for the target DCR stream
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Client Creation
@@ -67,12 +68,20 @@ STREAM_NAME=Custom-MyTable_CL
 ### Synchronous Client
 
 ```java
-import com.azure.identity.DefaultAzureCredential;
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
 import com.azure.monitor.ingestion.LogsIngestionClient;
 import com.azure.monitor.ingestion.LogsIngestionClientBuilder;
 
-DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 LogsIngestionClient client = new LogsIngestionClientBuilder()
     .endpoint("<data-collection-endpoint>")
@@ -87,7 +96,7 @@ import com.azure.monitor.ingestion.LogsIngestionAsyncClient;
 
 LogsIngestionAsyncClient asyncClient = new LogsIngestionClientBuilder()
     .endpoint("<data-collection-endpoint>")
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildAsyncClient();
 ```
 
diff --git a/.github/plugins/azure-sdk-java/skills/azure-monitor-query-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-monitor-query-java/SKILL.md
index 3561bb16..4f9d8cfe 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-monitor-query-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-monitor-query-java/SKILL.md
@@ -63,8 +63,9 @@ Or use Azure SDK BOM:
 ## Environment Variables
 
 ```bash
-LOG_ANALYTICS_WORKSPACE_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-AZURE_RESOURCE_ID=/subscriptions/{sub}/resourceGroups/{rg}/providers/{provider}/{resource}
+LOG_ANALYTICS_WORKSPACE_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  # Required for Log Analytics workspace queries
+AZURE_RESOURCE_ID=/subscriptions/{sub}/resourceGroups/{rg}/providers/{provider}/{resource}  # Required for metrics queries against a resource
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Client Creation
@@ -72,12 +73,23 @@ AZURE_RESOURCE_ID=/subscriptions/{sub}/resourceGroups/{rg}/providers/{provider}/
 ### LogsQueryClient (Sync)
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
 import com.azure.monitor.query.LogsQueryClient;
 import com.azure.monitor.query.LogsQueryClientBuilder;
 
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
+
 LogsQueryClient logsClient = new LogsQueryClientBuilder()
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 ```
 
@@ -87,7 +99,7 @@ LogsQueryClient logsClient = new LogsQueryClientBuilder()
 import com.azure.monitor.query.LogsQueryAsyncClient;
 
 LogsQueryAsyncClient logsAsyncClient = new LogsQueryClientBuilder()
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildAsyncClient();
 ```
 
@@ -98,7 +110,7 @@ import com.azure.monitor.query.MetricsQueryClient;
 import com.azure.monitor.query.MetricsQueryClientBuilder;
 
 MetricsQueryClient metricsClient = new MetricsQueryClientBuilder()
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 ```
 
@@ -108,7 +120,7 @@ MetricsQueryClient metricsClient = new MetricsQueryClientBuilder()
 import com.azure.monitor.query.MetricsQueryAsyncClient;
 
 MetricsQueryAsyncClient metricsAsyncClient = new MetricsQueryClientBuilder()
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildAsyncClient();
 ```
 
@@ -117,13 +129,13 @@ MetricsQueryAsyncClient metricsAsyncClient = new MetricsQueryClientBuilder()
 ```java
 // Azure China Cloud - Logs
 LogsQueryClient logsClient = new LogsQueryClientBuilder()
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .endpoint("https://api.loganalytics.azure.cn/v1")
     .buildClient();
 
 // Azure China Cloud - Metrics
 MetricsQueryClient metricsClient = new MetricsQueryClientBuilder()
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .endpoint("https://management.chinacloudapi.cn")
     .buildClient();
 ```
diff --git a/.github/plugins/azure-sdk-java/skills/azure-security-keyvault-keys-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-security-keyvault-keys-java/SKILL.md
index 9f8cba84..632c3607 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-security-keyvault-keys-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-security-keyvault-keys-java/SKILL.md
@@ -25,28 +25,39 @@ Manage cryptographic keys and perform cryptographic operations in Azure Key Vaul
 ## Client Creation
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
+import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
 import com.azure.security.keyvault.keys.KeyClient;
 import com.azure.security.keyvault.keys.KeyClientBuilder;
 import com.azure.security.keyvault.keys.cryptography.CryptographyClient;
 import com.azure.security.keyvault.keys.cryptography.CryptographyClientBuilder;
-import com.azure.identity.DefaultAzureCredentialBuilder;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 // Key management client
 KeyClient keyClient = new KeyClientBuilder()
     .vaultUrl("https://<vault-name>.vault.azure.net")
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 
 // Async client
 KeyAsyncClient keyAsyncClient = new KeyClientBuilder()
     .vaultUrl("https://<vault-name>.vault.azure.net")
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildAsyncClient();
 
 // Cryptography client (for encrypt/decrypt/sign/verify)
 CryptographyClient cryptoClient = new CryptographyClientBuilder()
     .keyIdentifier("https://<vault-name>.vault.azure.net/keys/<key-name>/<key-version>")
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 ```
 
@@ -347,7 +358,8 @@ try {
 ## Environment Variables
 
 ```bash
-AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net
+AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net  # Required for vault URL
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Best Practices
diff --git a/.github/plugins/azure-sdk-java/skills/azure-security-keyvault-secrets-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-security-keyvault-secrets-java/SKILL.md
index 150b9f00..a2a9f62f 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-security-keyvault-secrets-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-security-keyvault-secrets-java/SKILL.md
@@ -25,20 +25,31 @@ Securely store and manage secrets like passwords, API keys, and connection strin
 ## Client Creation
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
+import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
 import com.azure.security.keyvault.secrets.SecretClient;
 import com.azure.security.keyvault.secrets.SecretClientBuilder;
-import com.azure.identity.DefaultAzureCredentialBuilder;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 // Sync client
 SecretClient secretClient = new SecretClientBuilder()
     .vaultUrl("https://<vault-name>.vault.azure.net")
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 
 // Async client
 SecretAsyncClient secretAsyncClient = new SecretClientBuilder()
     .vaultUrl("https://<vault-name>.vault.azure.net")
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildAsyncClient();
 ```
 
@@ -310,7 +321,8 @@ try {
 ## Environment Variables
 
 ```bash
-AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net
+AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net  # Required for vault URL
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Best Practices
diff --git a/.github/plugins/azure-sdk-java/skills/azure-storage-blob-java/SKILL.md b/.github/plugins/azure-sdk-java/skills/azure-storage-blob-java/SKILL.md
index 3e3860b8..9202207d 100644
--- a/.github/plugins/azure-sdk-java/skills/azure-storage-blob-java/SKILL.md
+++ b/.github/plugins/azure-sdk-java/skills/azure-storage-blob-java/SKILL.md
@@ -45,11 +45,22 @@ BlobServiceClient serviceClient = new BlobServiceClientBuilder()
 ### With DefaultAzureCredential
 
 ```java
+import com.azure.core.credential.TokenCredential;
+import com.azure.identity.AzureIdentityEnvVars;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 
 BlobServiceClient serviceClient = new BlobServiceClientBuilder()
     .endpoint("<storage-account-url>")
-    .credential(new DefaultAzureCredentialBuilder().build())
+    .credential(credential)
     .buildClient();
 ```
 
@@ -378,8 +389,9 @@ BlobServiceClient client = new BlobServiceClientBuilder()
 ## Environment Variables
 
 ```bash
-AZURE_STORAGE_CONNECTION_STRING=DefaultEndpointsProtocol=https;AccountName=...
-AZURE_STORAGE_ACCOUNT_URL=https://<account>.blob.core.windows.net
+AZURE_STORAGE_CONNECTION_STRING=DefaultEndpointsProtocol=https;AccountName=...  # Alternative to Entra ID auth
+AZURE_STORAGE_ACCOUNT_URL=https://<account>.blob.core.windows.net  # Required for all auth methods
+AZURE_TOKEN_CREDENTIALS=prod  # Required only if DefaultAzureCredential is used in production
 ```
 
 ## Trigger Phrases
diff --git a/.github/skills/skill-creator/SKILL.md b/.github/skills/skill-creator/SKILL.md
index a80940ac..50dcbe8d 100644
--- a/.github/skills/skill-creator/SKILL.md
+++ b/.github/skills/skill-creator/SKILL.md
@@ -127,13 +127,32 @@ client = ServiceClient(endpoint, credential)
 
 ```csharp
 // C#
-var credential = new DefaultAzureCredential();
+using Azure.Identity;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+var credential = new DefaultAzureCredential(
+    DefaultAzureCredential.DefaultEnvironmentVariableName
+);
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes
+// var credential = new ManagedIdentityCredential();
 var client = new ServiceClient(new Uri(endpoint), credential);
 ```
 
 ```java
 // Java
-TokenCredential credential = new DefaultAzureCredentialBuilder().build();
+import com.azure.identity.AzureIdentityEnvVars;
+import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredential;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+// Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
+TokenCredential credential = new DefaultAzureCredentialBuilder()
+    .requireEnvVars(AzureIdentityEnvVars.AZURE_TOKEN_CREDENTIALS)
+    .build();
+// Or use a specific credential directly in production:
+// See https://learn.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable#credential-classes
+// TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
 ServiceClient client = new ServiceClientBuilder()
     .endpoint(endpoint)
     .credential(credential)