This option is good when learning Azure CLI commands and running the Azure CLI locally. With the az login command, you log in through your browser. Interactive login also gives you a subscription selector to automatically set your default subscription.
Managed identities provide an Azure-managed identity for applications to use when connecting to resources that support Microsoft Entra authentication. Using a managed identity eliminates the need for you to manage secrets, credentials, certificates, and keys.
When you write scripts, using a service principal is the recommended authentication approach. You grant just the appropriate permissions needed to a service principal, keeping your automation secure.
Multi-factor authentication (MFA)
Starting in 2025, Microsoft will enforce mandatory MFA for Azure CLI and other command-line tools. MFA will only impact Microsoft Entra ID user identities.
It will not impact workload identities, such as service principals
and managed identities.
After you sign in, CLI commands run against your default subscription. If you have multiple subscriptions, change your default subscription using az account set --subscription.
Azure CLI
az account set --subscription"<subscription ID or name>"
When you sign in with a user account, Azure CLI generates and stores an authentication refresh token. Because access tokens are valid for only a short period of time, a refresh token is issued at the same time the access token is issued. The client application can then exchange this refresh token for a new access token when needed. For more information on token lifetime and expiration, see Refresh tokens in the Microsoft identity platform.
# get access token for the active subscriptionaz account get-access-token# get access token for a specific subscriptionaz account get-access-token --subscription"<subscription ID or name>"
Here is some additional information about access token expiration dates:
Expiration dates are updated in a format that is supported by MSAL-based Azure CLI.
Starting from Azure CLI 2.54.0, az account get-access-token returns the expires_on property alongside the expiresOn property for the token expiration time.
The expires_on property represents a Portable Operating System Interface (POSIX) timestamp while the expiresOn property represents a local datetime.
The expiresOn property doesn't express "fold" when Daylight Saving Time ends. This can cause problems in countries or regions where Daylight Saving Time is adopted. For more information on "fold", see PEP 495 – Local Time Disambiguation.
We recommend for downstream applications to use the expires_on property, because it uses the Universal Time Code (UTC).
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
Azure CLI feedback
Azure CLI is an open source project. Select a link to provide feedback: