Sign in with Azure CLI

There are several authentication types for the Azure Command-Line Interface (CLI), so how do you log in? The easiest way to get started is with Azure Cloud Shell, which automatically logs you in. Locally, you can sign in interactively through your browser with the az login command. When writing scripts, the recommended approach is to use service principals. By granting just the appropriate permissions needed to a service principal, you can keep your automation secure.

None of your login information is stored by Azure CLI. Instead, an authentication refresh token is generated by Azure and stored. As of August 2018 this token is revoked after 90 days of inactivity, but this value can be changed by Microsoft or your tenant administrator. Once the token is revoked you get a message from the CLI saying you need to login again.

After signing in, CLI commands are run against your default subscription. If you have multiple subscriptions, you can change your default subscription.

Note

Depending on your signing in method, your tenant may have Conditional Access policies that restrict your access to certain resources.

Sign in interactively

The Azure CLI's default authentication method for logins uses a web browser and access token to sign in.

1. Run the login command.

   az login
   

   If the CLI can open your default browser, it will initiate authorization code flow and open the default browser to load an Azure sign-in page.

   Otherwise, it will initiate device code flow and tell you to open a browser page at https://aka.ms/devicelogin and enter the code displayed in your terminal.

   If no web browser is available or the web browser fails to open, you may force device code flow with az login --use-device-code.

2. Sign in with your account credentials in the browser.

Sign in with credentials on the command line

Provide your Azure user credentials on the command line.

Note

This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.

az login -u <username> -p <password>

Important

If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS

Under PowerShell, use the Get-Credential cmdlet.

$AzCred = Get-Credential -UserName <username>
az login -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password

Sign in with a service principal

Service principals are accounts not tied to any particular user, which can have permissions on them assigned through pre-defined roles. Authenticating with a service principal is the best way to write secure scripts or programs, allowing you to apply both permissions restrictions and locally stored static credential information. To learn more about service principals, see Create an Azure service principal with the Azure CLI.

To sign in with a service principal, you need:

• The URL or name associated with the service principal
• The service principal password, or the X509 certificate used to create the service principal in PEM format
• The tenant associated with the service principal, as either an .onmicrosoft.com domain or Azure object ID

Note

A CERTIFICATE must be appended to the PRIVATE KEY within a PEM file. For an example of a PEM file format, see Certificate-based authentication.

Important

If your service principal uses a certificate that is stored in Key Vault, that certificate's private key must be available without signing in to Azure. To retrieve the certificate for az login, see Retrieve certificate from Key Vault.

az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>

Important

If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-id> -p $AZ_PASS --tenant <tenant>

Under PowerShell, use the Get-Credential cmdlet.

$AzCred = Get-Credential -UserName <app-id>
az login --service-principal -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password --tenant <tenant>

Sign in with a different tenant

You can select a tenant to sign in under with the --tenant argument. The value of this argument can either be an .onmicrosoft.com domain or the Azure object ID for the tenant. Both interactive and command-line sign in methods work with --tenant.

az login --tenant <tenant>

Sign in with a managed identity

On resources configured for managed identities for Azure resources, you can sign in using the managed identity. Signing in with the resource's identity is done through the --identity flag.

az login --identity

If the resource has multiple user assigned managed identities and no system assigned identity, you must specify the client id or object id or resource id of the user assigned managed identity with --username for login.

az login --identity --username <client_id|object_id|resource_id>

To learn more about managed identities for Azure resources, see Configure managed identities for Azure resources and Use managed identities for Azure resources for sign in.

See also

• How-to change your active tenant
• How-to change your active subscription
• Learn to use Bash with the Azure CLI