Edit

MSAL-based Azure CLI

  • Article
  • 2 minutes to read

Starting in version 2.30.0, Azure CLI uses MSAL as the underlying authentication library. MSAL uses AAD v2.0 authentication flow to provide more functionality and increases security for token cache.

Warning

BREAKING CHANGES are introduced in Azure CLI 2.30.0. Carefully read document prior to installation.

accessTokens.json deprecation

Previous versions of Azure CLI save ADAL tokens and service principal entries to ~/.azure/accessToken.json. Latest versions of Azure CLI use MSAL and no longer generate accessTokens.json. Any existing workflow depending on accessTokens.json no longer works.

The MSAL token cache and service principal entries are saved as encrypted files on Windows, and plaintext files on Linux and MacOS.

Important

When using Azure CLI in a pipeline like Azure DevOps, ensure all tasks and stages are using versions of Azure CLI above v2.30.0 for MSAL-based Azure CLI. Azure CLI 2.30.0 is not backwards compatible with prior versions and throws an error when working with versions below 2.30.0.

Alternatives to consider

Below are a couple alternatives you may consider for stability:

Calling az account get-access-token

You can manually call az account get-access-token in a terminal or use subprocess to call it from another programming language. By default, the returned access token is for Azure Resource Manager (ARM) and the default subscription/tenant shown in az account show.

# get the active subscription
az account show --output table

# get access token for the active subscription
az account get-access-token

# get access token for a specific subscription
az account get-access-token --subscription "<subscription ID or name>"

Using AzureCliCredential

AzureCliCredential is a credential type in all existing language SDKs. It uses subprocess to call az account get-access-token to get an access token for the current logged-in account.

See also