Log in with Azure CLI 2.0

There are several ways to log in and authenticate with the Azure CLI. The simplest way to get started is to log in interactively through your browser, or to log in at the command line. Our recommended approach is to use service principals, which provide a way for you to create non-interactive accounts that you can use to manipulate resources. By granting just the appropriate permissions needed to a service principal, you can ensure your automation scripts are even more secure.

None of your private credential information is stored locally. Instead, an authentication token is generated by Azure and stored. After logging in, your local login token is valid until it goes for 14 days without being used. At that point, you will need to re-authenticate.

After logging in, CLI Commands are run against your default subscription. If you have more than one subscription, you may want to change your default subscription.

Interactive log-in

Log in interactively from your web browser.

  1. Run the login command.

    az login

    You get a code to use in the next step.

  2. Use a web browser to open the page https://aka.ms/devicelogin and enter the code to authenticate.

    You are prompted to log in using your credentials.

  3. Log in.

Command line

Provide your credentials on the command line.


This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.

az login -u <username> -p <password>

Logging in with a service principal

Service principals are like user accounts to which you can apply rules using Azure Active Directory. Authenticating with a service principal is the best way to secure the usage of your Azure resources from either your scripts or applications that manipulate resources. If you don't already have a service principal available and would like to create one, see Create an Azure service principal with the Azure CLI.

To log in with a service principal, you provide the username, password or certificate PEM file, and the tenant associated with the service principal:

az login --service-principal -u <user> -p <password-or-cert> --tenant <tenant>

The tenant value is the Azure Active Directory tenant associated with the service principal. This can either be an .onmicrosoft.com domain, or the Azure object ID for the tenant. You can get the tenant object ID for your current login by using the following command:

az account show --query 'tenantId' -o tsv