Log in with Azure CLI 2.0

There are several ways to log in and authenticate with the Azure CLI. The simplest way to get started is to log in interactively through your browser, or to log in at the command line. Our recommended approach is to use service principals, which provide a way for you to create non-interactive accounts that you can use to manipulate resources. By granting just the appropriate permissions needed to a service principal, you can ensure your automation scripts are even more secure.

None of your private credential information is stored locally. Instead, an authentication token is generated by Azure and stored. After logging in, your local login token is valid until it goes for 14 days without being used. At that point, you will need to re-authenticate.

Commands that you run with the CLI are run against your default subscription. If you have more than one subscription, you may want to confirm your default subscription and change it appropriately.

Interactive log-in

Log in interactively from your web browser.

  1. Run the login command.

    az login

    You get a code to use in the next step.

  2. Use a web browser to open the page https://aka.ms/devicelogin and enter the code to authenticate.

    You are prompted to log in using your credentials.

  3. Log in.

Command line

Provide your credentials on the command line.


This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.

az login -u <username> -p <password>

Logging in with a service principal

Service principals are like user accounts to which you can apply rules using Azure Active Directory. Authenticating with a service principal is the best way to secure the usage of your Azure resources from either your scripts or applications that manipulate resources. You define the roles you want your users to have via the az role set of commands. You can learn more and see examples of service principal roles in our az role reference articles.

  1. If you don't already have a service principal, create one.

  2. Log in with the service principal.

    az login --service-principal -u "http://my-app" -p <password> --tenant <tenant>

    To get your tenant, log in interactively and then get the tenantId from your subscription.

    az account show
        "environmentName": "AzureCloud",
        "id": "********-****-****-****-************",
        "isDefault": true,
        "name": "Pay-As-You-Go",
        "state": "Enabled",
        "tenantId": "********-****-****-****-************",
        "user": {
        "name": "********",
        "type": "user"