Log in with Azure CLI 2.0

There are several ways to log in and authenticate with the Azure CLI. The easiest way to get started is to log in interactively through your browser through either Azure Cloud Shell or the az login command. The recommended approach is to use service principals, which are permissions-restricted accounts. By granting just the appropriate permissions needed to a service principal, you can ensure your automation scripts are even more secure.

None of your private credential information is stored locally. Instead, an authentication token is generated by Azure and stored. After logging in, your login token is valid until it goes for 14 days without being used. At that point, you need to re-authenticate.

After logging in, CLI Commands are run against your default subscription. If you have more than one subscription, you can change your default subscription.

Interactive log-in

Log in interactively from your web browser.

  1. Run the login command.

    az login
    

    You get a code to use in the next step.

  2. Use a web browser to open the page https://aka.ms/devicelogin and enter the code to authenticate.

  3. Log in with your account credentials in the browser.

Command line

Provide your Azure user credentials on the command line.

Note

This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.

az login -u <username> -p <password>

Important

If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS

Under PowerShell, use the Read-Host -AsSecureString cmdlet and secure string conversion.

$securePass =  Read-Host "Azure password: " -AsSecureString;
$AzPass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass));
az login -u <username> -p $AzPass;
$AzPass = ""

Log in with a specific tenant

If you work with multiple tenants, you can select your tenant to log in under with the --tenant argument. The value of this argument can either be an .onmicrosoft.com domain or the Azure object ID for the tenant. You can log in interactively, or provide your credentials with the --user and --password arguments.

az login --tenant <tenant>

Log in with a service principal

Service principals are accounts not tied to any particular user, which can have permissions on them assigned through pre-defined roles. Authenticating with a service principal is the best way to write secure scripts or programs, allowing you to apply both permissions restrictions and locally stored static credential information. To learn more about service principals, see Create an Azure service principal with the Azure CLI.

To log in with a service principal, you provide the username, password or certificate PEM file, and the tenant associated with the service principal:

az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>

The tenant value is the Azure Active Directory tenant associated with the service principal. This can either be an .onmicrosoft.com domain or the Azure object ID for the tenant. You can get the tenant object ID for your current login by using the following command:

az account show --query 'tenantId' -o tsv

Important

If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-url> -p $AZ_PASS --tenant <tenant>

Under PowerShell, use the Read-Host -AsSecureString cmdlet and secure string conversion.

$securePass =  Read-Host "Azure password: " -AsSecureString;
$AzPass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass));
az login --service-principal -u <app-url> -p $AzPass --tenant <tenant>;
$AzPass = ""