Share via

az logout will not prevent to az login without inserting credentials

Jan Vávra 386 Reputation points
2024-10-26T13:56:05.08+00:00

Hello,
after completing my work, I want to ensure that no one who might gain control of my Windows account would be able to perform any Azure CLI operations. However, after

az logout

I can still do

az login

without asked for my Entra Id login's password and MFA on my phone. I have the default - Web Account Manager Broker. No browser authentication.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. hossein jalilian 11,055 Reputation points Volunteer Moderator
    2024-10-26T21:40:18.0333333+00:00

    Hello Jan Vávra,

    Thanks for posting your question in the Microsoft Q&A forum.

    When you use az login with WAM on Windows, the authentication tokens are stored securely by the operating system. az logout doesn't completely remove these tokens from the system

    To ensure complete logout and prevent unauthorized access, you can run the following command to clear the Azure CLI token cache

    az account clear

    If you prefer browser-based authentication, you can disable WAM

    az config set core.enable_broker_on_windows=false

    Configure your Azure AD to issue tokens with shorter lifetimes.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

  2. Jan Vávra 386 Reputation points
    2024-11-05T13:37:59.8266667+00:00

    Well, the broker was set as a default solution.
    And I still ask, how to prevent login without password required?

    I also deleted

    del %USERPROFILE%\.azure\msal_token_cache.bin  
del %USERPROFILE%\.azure\msal_http_cache.bin

    and this also didn't helped.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.