Sign in with Azure CLI 2.0

There are several ways to authenticate with the Azure CLI. The easiest way to get started is to sign in interactively through your browser through either Azure Cloud Shell or the az login command. The recommended approach is to use service principals, which are permissions-restricted accounts. By granting just the appropriate permissions needed to a service principal, you can ensure your automation scripts are even more secure.

None of your private credential information is stored locally. Instead, an authentication token is generated by Azure and stored. After signing in, your authentication token is valid until it goes for 14 days without being used. At that point, you need to re-authenticate.

After signing in, CLI Commands are run against your default subscription. If you have more than one subscription, you can change your default subscription.

Interactive sign in

The Azure CLI's default authentication method uses a web browser and access token to sign in.

  1. Run the login command.

    az login
    

    If the CLI can determine your default browser and has access to open it, it will do so and direct you immediately to a sign in page.

    Otherwise, you need to open a browser page and follow the instructions on the command line to enter an authorization code after navigating to https://aka.ms/devicelogin in your browser.

  2. Sign in with your account credentials in the browser.

Command line

Provide your Azure user credentials on the command line.

Note

This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.

az login -u <username> -p <password>

Important

If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS

Under PowerShell, use the Read-Host -AsSecureString cmdlet and secure string conversion.

$securePass =  Read-Host "Azure password: " -AsSecureString;
$AzPass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass));
az login -u <username> -p $AzPass;
$AzPass = ""

Sign in with a specific tenant

If you work with multiple tenants, you can select your tenant to sign in under with the --tenant argument. The value of this argument can either be an .onmicrosoft.com domain or the Azure object ID for the tenant. You can sign in interactively, or provide your credentials with the --user and --password arguments.

az login --tenant <tenant>

Sign in with a service principal

Service principals are accounts not tied to any particular user, which can have permissions on them assigned through pre-defined roles. Authenticating with a service principal is the best way to write secure scripts or programs, allowing you to apply both permissions restrictions and locally stored static credential information. To learn more about service principals, see Create an Azure service principal with the Azure CLI.

To sign in with a service principal, you provide the username, password or certificate PEM file, and the tenant associated with the service principal:

az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>

The tenant value is the Azure Active Directory tenant associated with the service principal. This can either be an .onmicrosoft.com domain or the Azure object ID for the tenant. You can get the tenant object ID for your currently active account by using the following command:

az account show --query 'tenantId' -o tsv

Important

If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-url> -p $AZ_PASS --tenant <tenant>

Under PowerShell, use the Read-Host -AsSecureString cmdlet and secure string conversion.

$securePass =  Read-Host "Azure password: " -AsSecureString;
$AzPass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass));
az login --service-principal -u <app-url> -p $AzPass --tenant <tenant>;
$AzPass = ""