az logout will not prevent to az login without inserting credentials

Jan Vávra 386 Reputation points
2024-10-26T13:56:05.08+00:00

Hello,
after completing my work, I want to ensure that no one who might gain control of my Windows account would be able to perform any Azure CLI operations. However, after

az logout 

I can still do

az login

without asked for my Entra Id login's password and MFA on my phone. I have the default - Web Account Manager Broker. No browser authentication.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. hossein jalilian 11,055 Reputation points Volunteer Moderator
    2024-10-26T21:40:18.0333333+00:00

    Hello Jan Vávra,

    Thanks for posting your question in the Microsoft Q&A forum.

    When you use az login with WAM on Windows, the authentication tokens are stored securely by the operating system. az logout doesn't completely remove these tokens from the system

    To ensure complete logout and prevent unauthorized access, you can run the following command to clear the Azure CLI token cache

    az account clear
    
    

    If you prefer browser-based authentication, you can disable WAM

    az config set core.enable_broker_on_windows=false
    
    

    Configure your Azure AD to issue tokens with shorter lifetimes.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful


  2. Jan Vávra 386 Reputation points
    2024-11-05T13:37:59.8266667+00:00

    Well, the broker was set as a default solution.
    And I still ask, how to prevent login without password required?

    I also deleted

    del %USERPROFILE%\.azure\msal_token_cache.bin  
    del %USERPROFILE%\.azure\msal_http_cache.bin
    
    

    and this also didn't helped.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.