Sign in interactively with Azure CLI
Interactive logins to Azure offer a more intuitive and flexible user experience. Interactive login with Azure CLI allows users to authenticate to Azure directly through the az login command, which is useful for ad-hoc management tasks and for environments that require manual sign-in, such as those with multi-factor authentication (MFA). This method simplifies access for script testing, learning, and on-the-fly management without needing to pre-configure service principals or other noninteractive authentication methods.
Sign in with Web Account Manager (WAM) on Windows
As of Azure CLI version 2.61.0, WAM is now the default authentication method on Windows. WAM is a Windows 10+ component that acts as an authentication broker. (An authentication broker is an application that runs on a user’s machine that manages the authentication handshakes and token maintenance for connected accounts.)
Using WAM has several benefits:
- Enhanced security. See Conditional Access: Token protection (preview).
- Support for Windows Hello, conditional access policies, and FIDO keys.
- Streamlined single sign-on.
- Bug fixes and enhancements shipped with Windows.
If you encounter any issue and want to revert to the previous browser-based authentication method, run the following script:
az account clear
az config set core.enable_broker_on_windows=false
az login
Sign in with a browser
WAM is available on Windows 10 and later, and on Windows Server 2019 and later. On Mac, Linux, and earlier versions of Windows, the Azure CLI will continue to automatically default to a browser.
Run the
az login
command.az login
If the Azure CLI can open your default browser, it initiates authorization code flow and opens the default browser to load an Azure sign-in page.
Otherwise, it initiates the device code flow and instructs you to open a browser page at https://aka.ms/devicelogin. Then, enter the code displayed in your terminal.
If no web browser is available or the web browser fails to open, you may force device code flow with az login --use-device-code.
Sign in with your account credentials in the browser.
Sign in with credentials on the command line
Provide your Azure user credentials on the command line. Only use this authentication method for learning Azure CLI commands. Production-level applications should use a service principal or managed identity.
This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled. You receive an interactive authentication is needed message.
az login --user <username> --password <password>
Important
If you want to avoid displaying your password on console and are using az login
interactively,
use the read -s
command under bash
.
read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS
Under PowerShell, use the Get-Credential
cmdlet.
$AzCred = Get-Credential -UserName <username>
az login -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password
Sign in with a different tenant
You can select a tenant to sign in under with the --tenant
argument. The value of this argument can either be an .onmicrosoft.com
domain or the Azure object ID for the tenant. Both interactive and command-line sign-in methods work with --tenant
.
az login --tenant 00000000-0000-0000-0000-000000000000
After signing in, if you want to change your active tenant, see How-to change your active tenant.
Refresh tokens
When you sign in with a user account, Azure CLI generates and stores an authentication refresh token. Because access tokens are valid for only a short period of time, a refresh token is issued at the same time the access token is issued. The client application can then exchange this refresh token for a new access token when needed. For more information on token lifetime and expiration, see Refresh tokens in the Microsoft identity platform.
Use the az account get-access-token command to retrieve the access token:
# get access token for the active subscription
az account get-access-token
# get access token for a specific subscription
az account get-access-token --subscription "<subscription ID or name>"
Here is some additional information about access token expiration dates:
- Expiration dates are updated in a format that is supported by MSAL-based Azure CLI.
- Starting from Azure CLI 2.54.0,
az account get-access-token
returns theexpires_on
property alongside theexpiresOn
property for the token expiration time. - The
expires_on
property represents a Portable Operating System Interface (POSIX) timestamp while theexpiresOn
property represents a local datetime. - The
expiresOn
property doesn't express "fold" when Daylight Saving Time ends. This can cause problems in countries or regions where Daylight Saving Time is adopted. For more information on "fold", see PEP 495 – Local Time Disambiguation. - We recommend for downstream applications to use the
expires_on
property, because it uses the Universal Time Code (UTC).
Example output:
{
"accessToken": "...",
"expiresOn": "2023-10-31 21:59:10.000000",
"expires_on": 1698760750,
"subscription": "...",
"tenant": "...",
"tokenType": "Bearer"
}
Troubleshooting
When your default browser is Microsoft Edge, you might encounter the following error when attempting
to sign in to Azure interactively with az login
: "The connection for this site is not
secure." To resolve this issue, visit edge://net-internals/#hsts in
Microsoft Edge. Add localhost
under "Delete domain security policy" and select Delete.
See also
- Azure CLI Onboarding cheat sheet
- Find Azure CLI samples and published docs
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for