Log in with Azure CLI 2.0
There are several ways to log in and authenticate with the Azure CLI. The easiest way to get started is to log in interactively through your browser through either Azure Cloud Shell or the
az login command.
The recommended approach is to use service principals, which are permissions-restricted accounts. By granting just the appropriate permissions needed to a service principal, you can ensure your automation
scripts are even more secure.
None of your private credential information is stored locally. Instead, an authentication token is generated by Azure and stored. After logging in, your login token is valid until it goes for 14 days without being used. At that point, you need to re-authenticate.
After logging in, CLI Commands are run against your default subscription. If you have more than one subscription, you can change your default subscription.
Log in interactively from your web browser.
Run the login command.
You get a code to use in the next step.
Use a web browser to open the page https://aka.ms/devicelogin and enter the code to authenticate.
You are prompted to log in using your credentials.
Provide your credentials on the command line.
This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.
az login -u <username> -p <password>
Log in with a specific tenant
If you work with multiple tenants, you can select your tenant to log in under with the
--tenant argument. The value of this argument can either be an
or the Azure object ID for the tenant. You can log in interactively, or provide your credentials with the
az login --tenant <tenant>
Logging in with a service principal
Service principals are accounts not tied to any particular user, which can have permissions on them assigned through pre-defined roles. Authenticating with a service principal is the best way to write secure scripts or programs, allowing you to apply both permissions restrictions and locally stored static credential information. To learn more about service principals, see Create an Azure service principal with the Azure CLI.
To log in with a service principal, you provide the username, password or certificate PEM file, and the tenant associated with the service principal:
az login --service-principal -u <user> -p <password-or-cert> --tenant <tenant>
The tenant value is the Azure Active Directory tenant associated with the service principal. This can either be an
.onmicrosoft.com domain or the Azure object ID for the tenant.
You can get the tenant object ID for your current login by using the following command:
az account show --query 'tenantId' -o tsv