Sign in with Azure CLI 2.0

There are several authentication types for the Azure CLI. The easiest way to get started is with Azure Cloud Shell, which automatically logs you in. Locally, you can sign in interactively through your browser with the az login command. When writing scripts, the recommended approach is to use service principals. By granting just the appropriate permissions needed to a service principal, you can keep your automation secure.

None of your sign-in information is stored by the CLI. Instead, an authentication refresh token is generated by Azure and stored. As of August 2018 this token is revoked after 90 days of inactivity, but this value can be changed by Microsoft or your tenant administrator. Once the token is revoked you get a message from the CLI saying you need to sign in again.

After signing in, CLI commands are run against your default subscription. If you have multiple subscriptions, you can change your default subscription.

Sign in interactively

The Azure CLI's default authentication method uses a web browser and access token to sign in.

  1. Run the login command.

    az login
    

    If the CLI can open your default browser, it will do so and load a sign-in page.

    Otherwise, you need to open a browser page and follow the instructions on the command line to enter an authorization code after navigating to https://aka.ms/devicelogin in your browser.

  2. Sign in with your account credentials in the browser.

Sign in with credentials on the command line

Provide your Azure user credentials on the command line.

Note

This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.

az login -u <username> -p <password>

Important

If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS

Under PowerShell, use the Read-Host -AsSecureString cmdlet and secure string conversion.

$securePass =  Read-Host "Azure password: " -AsSecureString;
$AzPass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass));
az login -u <username> -p $AzPass;
$AzPass = ""

Sign in with a service principal

Service principals are accounts not tied to any particular user, which can have permissions on them assigned through pre-defined roles. Authenticating with a service principal is the best way to write secure scripts or programs, allowing you to apply both permissions restrictions and locally stored static credential information. To learn more about service principals, see Create an Azure service principal with the Azure CLI.

To sign in with a service principal, you need:

  • The URL or name associated with the service principal
  • The service principal password, or the X509 certificate used to create the service principal in PEM format
  • The tenant associated with the service principal, as either an .onmicrosoft.com domain or Azure object ID
az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>

Important

If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-url> -p $AZ_PASS --tenant <tenant>

Under PowerShell, use the Read-Host -AsSecureString cmdlet and secure string conversion.

$securePass =  Read-Host "Azure password: " -AsSecureString;
$AzPass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass));
az login --service-principal -u <app-url> -p $AzPass --tenant <tenant>;
$AzPass = ""

Sign in with a different tenant

You can select a tenant to sign in under with the --tenant argument. The value of this argument can either be an .onmicrosoft.com domain or the Azure object ID for the tenant. Both interactive and command-line sign in methods work with --tenant.

az login --tenant <tenant>

Sign in with a managed identity

On resources configured for managed identities for Azure resources, you can sign in using the managed identity. Signing in with the resource's identity is done through the --identity flag.

az login --identity

To learn more about managed identities for Azure resources, see Configure managed identities for Azure resources and Use managed identities for Azure resources for sign in.