使用 Azure CLI 登入Sign in with Azure CLI

Azure CLI 有數種驗證類型。There are several authentication types for the Azure CLI. 要開始使用的最簡單方法是透過 Azure Cloud Shell,這會自動將您登入。The easiest way to get started is with Azure Cloud Shell, which automatically logs you in. 您可以在本機使用 az login 命令,以互動方式透過瀏覽器登入。Locally, you can sign in interactively through your browser with the az login command. 在撰寫指令碼時,建議的方法是使用服務主體。When writing scripts, the recommended approach is to use service principals. 僅授與服務主體所需的適當權限,可讓您保持自動化的安全。By granting just the appropriate permissions needed to a service principal, you can keep your automation secure.

CLI 不會儲存您的任何登入資訊。None of your sign-in information is stored by the CLI. 驗證重新整理權杖會由 Azure 產生並儲存。Instead, an authentication refresh token is generated by Azure and stored. 自 2018 年 8 月起,此權杖將在未使用達 90 天後撤銷,但此值可由 Microsoft 或租用戶管理員變更。As of August 2018 this token is revoked after 90 days of inactivity, but this value can be changed by Microsoft or your tenant administrator. 權杖撤銷後,您將收到來自 CLI 的訊息,指出您必須重新登入。Once the token is revoked you get a message from the CLI saying you need to sign in again.

在登入之後,會針對您的預設訂用帳戶來執行 CLI 命令。After signing in, CLI commands are run against your default subscription. 如果您有多個訂用帳戶,可以變更預設訂用帳戶If you have multiple subscriptions, you can change your default subscription.

以互動方式登入Sign in interactively

Azure CLI 的預設驗證方法是使用網頁瀏覽器和存取權杖來登入。The Azure CLI's default authentication method uses a web browser and access token to sign in.

  1. 執行 login 命令。Run the login command.

    az login
    

    如果 CLI 可以開啟預設瀏覽器,它會執行這項操作,並載入登入頁面。If the CLI can open your default browser, it will do so and load a sign-in page.

    否則,您需要開啟瀏覽器頁面,並遵循命令列中的指示,在瀏覽器中瀏覽至 https://aka.ms/devicelogin 之後,輸入授權碼。Otherwise, you need to open a browser page and follow the instructions on the command line to enter an authorization code after navigating to https://aka.ms/devicelogin in your browser.

  2. 請在瀏覽器中使用您的帳戶認證登入。Sign in with your account credentials in the browser.

在命令列上,使用認證登入Sign in with credentials on the command line

在命令列中提供您的 Azure 使用者認證。Provide your Azure user credentials on the command line.

注意

這個方法不適用於 Microsoft 帳戶或啟用雙重要素驗證的帳戶。This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.

az login -u <username> -p <password>

重要

如果您不希望在主控台中顯示密碼,並且希望以互動方式使用 az login,請在 read -s 以下使用 bash 命令。If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS

在 PowerShell 底下,請使用 Get-Credential Cmdlet。Under PowerShell, use the Get-Credential cmdlet.

$AzCred = Get-Credential -UserName <username>
az login -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password

使用服務主體來登入Sign in with a service principal

服務主體是未繫結至任何特定使用者的帳戶,其可以透過預先定義的角色指派來擁有權限。Service principals are accounts not tied to any particular user, which can have permissions on them assigned through pre-defined roles. 使用服務主體進行驗證是撰寫安全指令碼或程式的最佳方式,可讓您同時套用權限限制和儲存在本機的靜態認證資訊。Authenticating with a service principal is the best way to write secure scripts or programs, allowing you to apply both permissions restrictions and locally stored static credential information. 若要深入了解服務主體,請參閱使用 Azure CLI 建立 Azure 服務主體To learn more about service principals, see Create an Azure service principal with the Azure CLI.

若要使用服務主體登入,您需要:To sign in with a service principal, you need:

  • 與服務主體相關聯 URL 或名稱The URL or name associated with the service principal
  • 服務主體密碼,或用來以 PEM 格式建立服務主體的 X509 憑證The service principal password, or the X509 certificate used to create the service principal in PEM format
  • 與服務主體相關聯的租用戶,作為 .onmicrosoft.com 網域或 Azure 物件識別碼The tenant associated with the service principal, as either an .onmicrosoft.com domain or Azure object ID

重要

如果您的服務主體使用保存在 Key Vault 中的憑證,該憑證的私密金鑰必須可在不登入 Azure 的情況下取得。If your service principal uses a certificate that is stored in Key Vault, that certificate's private key must be available without signing in to Azure. 若要擷取私密金鑰以供離線使用,請使用 az keyvault secret showTo retrieve a private key for use offline, use az keyvault secret show.

az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>

重要

如果您不希望在主控台中顯示密碼,並且希望以互動方式使用 az login,請在 read -s 以下使用 bash 命令。If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-url> -p $AZ_PASS --tenant <tenant>

在 PowerShell 底下,請使用 Get-Credential Cmdlet。Under PowerShell, use the Get-Credential cmdlet.

$AzCred = Get-Credential -UserName <app-url>
az login --service-principal -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password --tenant <tenant>

使用不同的租用戶登入Sign in with a different tenant

您可以使用 --tenant 引數選取要登入的租用戶。You can select a tenant to sign in under with the --tenant argument. 這個引數的值可以是 .onmicrosoft.com 網域或租用戶的 Azure 物件識別碼。The value of this argument can either be an .onmicrosoft.com domain or the Azure object ID for the tenant. 互動式和命令列登入方法都是使用 --tenantBoth interactive and command-line sign in methods work with --tenant.

az login --tenant <tenant>

使用受控識別登入Sign in with a managed identity

若資源已針對 Azure 資源的受控識別進行設定,則您可以使用受控識別來登入。On resources configured for managed identities for Azure resources, you can sign in using the managed identity. 使用資源身分識別登入可透過 --identity 旗標來完成。Signing in with the resource's identity is done through the --identity flag.

az login --identity

若要深入了解 Azure 資源的受控識別,請參閱設定 Azure 資源的受控識別使用 Azure 資源的受控識別登入To learn more about managed identities for Azure resources, see Configure managed identities for Azure resources and Use managed identities for Azure resources for sign in.