Sign in with Azure CLI

There are several authentication types for the Azure Command-Line Interface (CLI), so how do you sign in? The easiest way to get started is with Azure Cloud Shell, which automatically logs you in. Locally, you can sign in interactively through your browser with the az login command. When you write scripts, the recommended approach is to use service principals. By granting just the appropriate permissions needed to a service principal, you can keep your automation secure.

When signing in with a user account, Azure CLI generates and stores an authentication refresh token. For more information on refresh and session token configuration, see Refresh and session token lifetime policy properties.

After you sign in, CLI commands are run against your default subscription. If you have multiple subscriptions, you can change your default subscription.

Note

Depending on your signing in method, your tenant may have Conditional Access policies that restrict your access to certain resources.

Sign in interactively

The Azure CLI's default authentication method for logins uses a web browser and access token to sign in.

1. Run the login command.

   az login
   

   If the CLI can open your default browser, it initiates authorization code flow and open the default browser to load an Azure sign-in page.

   Otherwise, it initiates the device code flow and tell you to open a browser page at https://aka.ms/devicelogin and enter the code displayed in your terminal.

   If no web browser is available or the web browser fails to open, you may force device code flow with az login --use-device-code.

2. Sign in with your account credentials in the browser.

Sign in with credentials on the command line

Provide your Azure user credentials on the command line.

Note

This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.

az login -u <username> -p <password>

Important

If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS

Under PowerShell, use the Get-Credential cmdlet.

$AzCred = Get-Credential -UserName <username>
az login -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password

Sign in with a service principal

Service principals are accounts not tied to any particular user, which can have permissions on them assigned through predefined roles. Authenticating with a service principal is the best way to write secure scripts or programs, allowing you to apply both permissions restrictions and locally stored static credential information. To learn more about service principals, see Working with Azure service principals using the Azure CLI.

To sign in with a service principal, you need:

• The URL or name associated with the service principal
• The service principal password, or the X509 certificate used to create the service principal in PEM format
• The tenant associated with the service principal, as either an .onmicrosoft.com domain or Azure object ID

Note

A CERTIFICATE must be appended to the PRIVATE KEY within a PEM file. For an example of a PEM file format, see Certificate-based authentication.

Important

If your service principal uses a certificate that is stored in Key Vault, that certificate's private key must be available without signing in to Azure. To retrieve the certificate for az login, see Retrieve certificate from Key Vault.

az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>

Important

If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-id> -p $AZ_PASS --tenant <tenant>

Under PowerShell, use the Get-Credential cmdlet.

$AzCred = Get-Credential -UserName <app-id>
az login --service-principal -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password --tenant <tenant>

See Working with service principals for more information on PEM file formats.

Sign in with a different tenant

You can select a tenant to sign in under with the --tenant argument. The value of this argument can either be an .onmicrosoft.com domain or the Azure object ID for the tenant. Both interactive and command-line sign in methods work with --tenant.

az login --tenant <tenant>

Sign in with a managed identity

On resources configured for managed identities for Azure resources, you can sign in using the managed identity. Signing in with the resource's identity is done through the --identity flag.

az login --identity

If the resource has multiple user assigned managed identities and no system assigned identity, you must specify the client ID or object ID or resource ID of the user assigned managed identity with --username for login.

az login --identity --username <client_id|object_id|resource_id>

To learn more about managed identities for Azure resources, see Configure managed identities for Azure resources and Use managed identities for Azure resources for sign in.

Sign in with Web Account Manager (WAM)

The Azure CLI now offers preview support for Web Account Manager (WAM). WAM is a Windows 10+ component that acts as an authentication broker. (An authentication broker is an application that runs on a user’s machine that manages the authentication handshakes and token maintenance for connected accounts.)

Using WAM has several benefits:

• Enhanced security. See Conditional Access: Token protection (preview).
• Support for Windows Hello, conditional access policies, and FIDO keys.
• Streamlined single sign-on.
• Bug fixes and enhancements shipped with Windows.

Signing in with WAM is a preview, opt-in feature. Once enabled, the previous browser-based user interface is replaced.

az config set core.allow_broker=true
az account clear
az login

At the current stage of development, there are a few known limitations to WAM:

• WAM is available on Windows 10 and later, and on Windows Server 2019 and later. On Mac, Linux, and earlier versions of Windows, we automatically fall back to a browser.
• Microsoft Accounts (for example @outlook.com or @live.com) aren't supported for the time being. We're working with the Microsoft Identity team to bring the support later.

Troubleshooting

When your default browser is Microsoft Edge, you might encounter the following error when attempting to login to Azure interactively with az login: "The connection for this site is not secure." To resolve this issue, visit edge://net-internals/#hsts in Microsoft Edge. Add localhost under "Delete domain security policy" and click Delete.

See also

• How-to change your active tenant
• How-to change your active subscription
• Learn to use Bash with the Azure CLI