azcmagent disconnect

Deletes the Azure Arc-enabled server resource in the cloud and resets the configuration of the local agent. For detailed information on removing extensions and disconnecting and uninstalling the agent, see uninstall the agent.


azcmagent disconnect [authentication] [flags]


Disconnect a server using the default login method (interactive browser or device code).

azcmagent disconnect

Disconnect a server using a service principal.

azcmagent disconnect --service-principal-id "ID" --service-principal-secret "SECRET"

Disconnect a server if the corresponding resource in Azure has already been deleted.

azcmagent disconnect --force-local-only

Authentication options

There are 4 ways to provide authentication credentials to the Azure connected machine agent. Choose one authentication option and replace the [authentication] section in the usage syntax with the recommended flags.


The account used to disconnect a server must be from the same tenant as the subscription where the server is registered.

Interactive browser login (Windows-only)

This option is the default on Windows operating systems with a desktop experience. The login page opens in your default web browser. This option may be required if your organization has configured conditional access policies that require you to log in from trusted machines.

No flag is required to use the interactive browser login.

Device code login

This option generates a code that you can use to log in on a web browser on another device. This is the default option on Windows Server core editions and all Linux distributions. When you execute the connect command, you have 5 minutes to open the specified login URL on an internet-connected device and complete the login flow.

To authenticate with a device code, use the --use-device-code flag.

Service principal

Service principals allow you to authenticate non-interactively and are often used for at-scale operations where the same script is run across multiple servers. It's recommended that you provide service principal information via a configuration file (see --config) to avoid exposing the secret in any console logs.

To authenticate with a service principal, provide the service principal's application ID and secret: --service-principal-id [appid] --service-principal-secret [secret]

Access token

Access tokens can also be used for non-interactive authentication, but are short-lived and typically used by automation solutions operating on several servers over a short period of time. You can get an access token with Get-AzAccessToken or any other Azure Active Directory client.

To authenticate with an access token, use the --access-token [token] flag.



Specifies the Azure Active Directory access token used to create the Azure Arc-enabled server resource in Azure. For more information, see authentication options.

-f, --force-local-only

Disconnects the server without deleting the resource in Azure. Primarily used if the Azure resource has already been deleted and the local agent configuration needs to be cleaned up.

-i, --service-principal-id

Specifies the application ID of the service principal used to create the Azure Arc-enabled server resource in Azure. Must be used with the --service-principal-secret and --tenant-id flags. For more information, see authentication options.

-p, --service-principal-secret

Specifies the service principal secret. Must be used with the --service-principal-id and --tenant-id flags. To avoid exposing the secret in console logs, it's recommended to pass in the service principal secret in a configuration file. For more information, see authentication options.


Generate an Azure Active Directory device login code that can be entered in a web browser on another computer to authenticate the agent with Azure. For more information, see authentication options.

Common flags available for all commands


Takes in a path to a JSON or YAML file containing inputs to the command. The configuration file should contain a series of key-value pairs where the key matches an available command line option. For example, to pass in the --verbose flag, the configuration file would look like:

    "verbose": true

If a command line option is found in both the command invocation and a configuration file, the value specified on the command line will take precedence.

-h, --help

Get help for the current command, including its syntax and command line options.

-j, --json

Output the command result in the JSON format.


Redirect error and verbose messages to the standard error (stderr) stream. By default, all output is sent to the standard output (stdout) stream.


Disable color output for terminals that do not support ANSI colors.

-v, --verbose

Show more detailed logging information while the command executes. Useful for troubleshooting issues when running a command.