Sign in interactively with Azure CLI
The Azure CLI's default authentication method for logins uses a web browser and access token to sign in.
Run the
az logincommand.az loginIf the Azure CLI can open your default browser, it initiates authorization code flow and opens the default browser to load an Azure sign-in page.
Otherwise, it initiates the device code flow and instructs you to open a browser page at https://aka.ms/devicelogin. Then, enter the code displayed in your terminal.
If no web browser is available or the web browser fails to open, you may force device code flow with az login --use-device-code.
Sign in with your account credentials in the browser.
Sign in with credentials on the command line
Provide your Azure user credentials on the command line. Only use this authentication method for learning Azure CLI commands. Production-level applications should use a service principal or managed identity.
This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled. You receive an interactive authentication is needed message.
az login --user <username> --password <password>
Important
If you want to avoid displaying your password on console and are using az login interactively,
use the read -s command under bash.
read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS
Under PowerShell, use the Get-Credential cmdlet.
$AzCred = Get-Credential -UserName <username>
az login -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password
Sign in with a different tenant
You can select a tenant to sign in under with the --tenant argument. The value of this argument can either be an .onmicrosoft.com domain or the Azure object ID for the tenant. Both interactive and command-line sign-in methods work with --tenant.
az login --tenant 00000000-0000-0000-0000-000000000000
After signing in, if you want to change your active tenant, see How-to change your active tenant.
Refresh tokens
When you sign in with a user account, Azure CLI generates and stores an authentication refresh token. Because access tokens are valid for only a short period of time, a refresh token is issued at the same time the access token is issued. The client application can then exchange this refresh token for a new access token when needed. For more information on token lifetime and expiration, see Refresh tokens in the Microsoft identity platform.
Use the az account get-access-token command to retrieve the access token:
# get access token for the active subscription
az account get-access-token
# get access token for a specific subscription
az account get-access-token --subscription "<subscription ID or name>"
Here is some additional information about access token expiration dates:
- Expiration dates are updated in a format that is supported by MSAL-based Azure CLI.
- Starting from Azure CLI 2.54.0,
az account get-access-tokenreturns theexpires_onproperty alongside theexpiresOnproperty for the token expiration time. - The
expires_onproperty represents a Portable Operating System Interface (POSIX) timestamp while theexpiresOnproperty represents a local datetime. - The
expiresOnproperty doesn't express "fold" when Daylight Saving Time ends. This can cause problems in countries or regions where Daylight Saving Time is adopted. For more information on "fold", see PEP 495 – Local Time Disambiguation. - We recommend for downstream applications to use the
expires_onproperty, because it uses the Universal Time Code (UTC).
Example output:
{
"accessToken": "...",
"expiresOn": "2023-10-31 21:59:10.000000",
"expires_on": 1698760750,
"subscription": "...",
"tenant": "...",
"tokenType": "Bearer"
}
Troubleshooting
When your default browser is Microsoft Edge, you might encounter the following error when attempting
to sign in to Azure interactively with az login: "The connection for this site is not
secure." To resolve this issue, visit edge://net-internals/#hsts in
Microsoft Edge. Add localhost under "Delete domain security policy" and select Delete.
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for