Sign in with Azure CLI
There are several authentication types for the Azure Command-Line Interface (CLI), so how do you log in? The easiest way to get started is with Azure Cloud Shell, which automatically logs you in. Locally, you can sign in interactively through your browser with the az login command. When writing scripts, the recommended approach is to use service principals. By granting just the appropriate permissions needed to a service principal, you can keep your automation secure.
None of your login information is stored by Azure CLI. Instead, an authentication refresh token is generated by Azure and stored. As of August 2018 this token is revoked after 90 days of inactivity, but this value can be changed by Microsoft or your tenant administrator. Once the token is revoked you get a message from the CLI saying you need to login again.
After signing in, CLI commands are run against your default subscription. If you have multiple subscriptions, you can change your default subscription.
Note
Depending on your signing in method, your tenant may have Conditional Access policies that restrict your access to certain resources.
Sign in interactively
The Azure CLI's default authentication method for logins uses a web browser and access token to sign in.
Run the
login
command.az login
If the CLI can open your default browser, it will initiate authorization code flow and open the default browser to load an Azure sign-in page.
Otherwise, it will initiate device code flow and tell you to open a browser page at https://aka.ms/devicelogin and enter the code displayed in your terminal.
If no web browser is available or the web browser fails to open, you may force device code flow with az login --use-device-code.
Sign in with your account credentials in the browser.
Sign in with credentials on the command line
Provide your Azure user credentials on the command line.
Note
This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.
az login -u <username> -p <password>
Important
If you want to avoid displaying your password on console and are using az login
interactively,
use the read -s
command under bash
.
read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS
Under PowerShell, use the Get-Credential
cmdlet.
$AzCred = Get-Credential -UserName <username>
az login -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password
Sign in with a service principal
Service principals are accounts not tied to any particular user, which can have permissions on them assigned through pre-defined roles. Authenticating with a service principal is the best way to write secure scripts or programs, allowing you to apply both permissions restrictions and locally stored static credential information. To learn more about service principals, see Working with Azure service principals using the Azure CLI.
To sign in with a service principal, you need:
- The URL or name associated with the service principal
- The service principal password, or the X509 certificate used to create the service principal in PEM format
- The tenant associated with the service principal, as either an
.onmicrosoft.com
domain or Azure object ID
Note
A CERTIFICATE must be appended to the PRIVATE KEY within a PEM file. For an example of a PEM file format, see Certificate-based authentication.
Important
If your service principal uses a certificate that is stored in Key Vault, that certificate's private key must be available without signing in to Azure. To retrieve the certificate for az login
, see Retrieve certificate from Key Vault.
az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
Important
If you want to avoid displaying your password on console and are using az login
interactively,
use the read -s
command under bash
.
read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-id> -p $AZ_PASS --tenant <tenant>
Under PowerShell, use the Get-Credential
cmdlet.
$AzCred = Get-Credential -UserName <app-id>
az login --service-principal -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password --tenant <tenant>
See Working with service principals for more information on PEM file formats.
Sign in with a different tenant
You can select a tenant to sign in under with the --tenant
argument. The value of this argument can either be an .onmicrosoft.com
domain or the Azure object ID for the tenant. Both
interactive and command-line sign in methods work with --tenant
.
az login --tenant <tenant>
Sign in with a managed identity
On resources configured for managed identities for Azure resources, you can sign in using the managed identity. Signing in with the resource's identity is done through the --identity
flag.
az login --identity
If the resource has multiple user assigned managed identities and no system assigned identity, you must specify the client id or object id or resource id of the user assigned managed identity with --username
for login.
az login --identity --username <client_id|object_id|resource_id>
To learn more about managed identities for Azure resources, see Configure managed identities for Azure resources and Use managed identities for Azure resources for sign in.
See also
Feedback
Submit and view feedback for