MSAL-based Azure CLI
Starting in version 2.30.0, Azure CLI uses MSAL as the underlying authentication library. MSAL uses AAD v2.0 authentication flow to provide more functionality and increases security for token cache.
BREAKING CHANGES are introduced in Azure CLI 2.30.0. Carefully read document prior to installation.
Previous versions of Azure CLI save ADAL tokens and service principal entries to
~/.azure/accessToken.json. Latest versions of Azure CLI use MSAL and no longer generate
accessTokens.json. Any existing workflow depending on
accessTokens.json no longer works.
The MSAL token cache and service principal entries are saved as encrypted files on Windows, and plaintext files on Linux and MacOS.
When using Azure CLI in a pipeline like Azure DevOps, ensure all tasks and stages are using versions of Azure CLI above v2.30.0 for MSAL-based Azure CLI. Azure CLI 2.30.0 is not backwards compatible with prior versions and throws an error when working with versions below 2.30.0.
Alternatives to consider
Below are a couple alternatives you may consider for stability:
az account get-access-token
You can manually call
az account get-access-token in a terminal or use subprocess to call it from another programming language. By default, the returned access token is for Azure Resource Manager (ARM) and the default subscription/tenant shown in
az account show.
# get the active subscription az account show --output table # get access token for the active subscription az account get-access-token # get access token for a specific subscription az account get-access-token --subscription "<subscription ID or name>"
AzureCliCredential is a credential type in all existing language SDKs. It uses subprocess to call
az account get-access-token to get an access token for the current logged-in account.
- AzureCliCredential Class in Python
- AzureCliCredential Class in .NET
- AzureCliCredential Class in Java
Submit and view feedback for