Edit

Share via

Sign into Azure interactively using the Azure CLI

  • Article

Interactive logins to Azure offer a more intuitive and flexible user experience. With Azure CLI, you can authenticate to Azure directly through the az login command. This command is useful for ad-hoc management tasks and for environments that require manual sign-in, such as those with multi-factor authentication (MFA). This method simplifies access for script testing, learning, and on-the-fly management without needing to preconfigure service principals or other noninteractive authentication methods.

Important

Starting in 2025, Microsoft will enforce mandatory MFA for Azure CLI and other command-line tools. For more background about this requirement, see our blog post.

MFA will only impact Microsoft Entra ID user identities. It will not impact workload identities, such as service principals and managed identities.

If you are using az login with an Entra ID and password to authenticate a script or automated process, plan now to migrate to a workload identity. Here are some helpful links to assist you in making this change:

Prerequisites

Interactive login

To sign in interactively, use the az login command. Beginning with Azure CLI version 2.61.0, Azure CLI uses Web Account Manager (WAM) on Windows, and a browser-based login on Linux and macOS by default.

az login

Subscription selector

Beginning with Azure CLI version 2.61.0, if you have access to multiple subscriptions, you're prompted to select an Azure subscription at time of login, as shown in the following example.

Retrieving subscriptions for the selection...

[Tenant and subscription selection]

No    Subscription name                     Subscription ID                           Tenant name
----  ------------------------------------  ----------------------------------------  --------------
[1]   Facility Services Subscription        00000000-0000-0000-0000-000000000000      Contoso
[2]   Finance Department Subscription       00000000-0000-0000-0000-000000000000      Contoso
[3]   Human Resources Subscription          00000000-0000-0000-0000-000000000000      Contoso
[4] * Information Technology Subscription   00000000-0000-0000-0000-000000000000      Contoso

The default is marked with an *; the default tenant is 'Contoso' and subscription is
'Information Technology Subscription' (00000000-0000-0000-0000-000000000000).

Select a subscription and tenant (Type a number or Enter for no changes): 2

Tenant: Contoso
Subscription: Finance Department Subscription (00000000-0000-0000-0000-000000000000)

[Announcements]
With the new Azure CLI login experience, you can select the subscription you want to use more easily.
Learn more about it and its configuration at https://go.microsoft.com/fwlink/?linkid=2271236

If you encounter any problem, please open an issue at https://aka.ms/azclibug

The next time you sign in, the previously selected tenant and subscription is marked as the default with an asterisk (*) next to its number. This marking allows you to press Enter to select the default subscription.

By default, commands run against the selected subscription. You can use az account set to change your subscription from a command line at any time. For more information, see How to manage Azure subscriptions with the Azure CLI.

Here are some guidelines about the subscription selector to keep in mind:

  • The subscription selector is only available in 64-bit Windows, Linux, or macOS.
  • The subscription selector is only available when using the az login command.
  • You aren't prompted to select a subscription when you're logging in with a service principal or managed identity.

If you want to disable the subscription selector feature, set the core.login_experience_v2 configuration property to off.

az config set core.login_experience_v2=off
az login

Sign in with Web Account Manager (WAM) on Windows

Beginning with Azure CLI version 2.61.0, Web Account Manager (WAM) is the default authentication method on Windows. WAM is a Windows 10+ component that acts as an authentication broker. An authentication broker is an application that runs on a user's machine. It manages the authentication handshakes and token maintenance for connected accounts.

Using WAM has several benefits:

If you encounter an issue and want to revert to the previous browser-based authentication method, Set the core.enable_broker_on_windows configuration property to false.

az account clear
az config set core.enable_broker_on_windows=false
az login

WAM is available on Windows 10 and later, and on Windows Server 2019 and later.

Sign in with a browser

The Azure CLI defaults to a browser-based authentication method when one of the following is true:

  • The operating system (OS) is Mac, or Linux, or the Windows OS is earlier than Windows 10 or Windows Server 2019.
  • The core.enable_broker_on_windows configuration property is set to false.

To sign in with a browser, follow these steps:

  1. Run the az login command.

    az login

    If the Azure CLI can open your default browser, it initiates authorization code flow and opens the default browser to load an Azure sign-in page.

    Otherwise, it initiates the device code flow and instructs you to open a browser page at https://aka.ms/devicelogin. Then, enter the code displayed in your terminal.

    If no web browser is available or the web browser fails to open, you may force device code flow with az login --use-device-code.

  2. Sign in with your account credentials in the browser.

Sign in with credentials on the command line

Provide your Azure user credentials on the command line. Only use this authentication method for learning Azure CLI commands. For production-level applications, use a service principal or managed identity.

This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled. You receive an interactive authentication is needed message.

az login --user <username> --password <password>

Important

To avoid displaying your password on console when using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS

Under PowerShell, use the Get-Credential cmdlet.

$AzCred = Get-Credential -UserName <username>
az login -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password

Sign in with a different tenant

You can select a tenant to sign in with the --tenant argument. The value of this argument can either be an .onmicrosoft.com domain or the Azure object ID for the tenant. Both interactive and command-line sign-in methods work with --tenant.

In select environments and beginning in Azure CLI version 2.61.0, you need to first disable the subscription selector by setting the core.login_experience_v2 configuration property to off.

# disable the subscription selector (v. 2.61.0 and up)
az config set core.login_experience_v2=off

# login with a tenant ID
az login --tenant 00000000-0000-0000-0000-000000000000

To reenable the subscription selector, run az config set core.login_experience_v2=on. For more information on the subscription selector, see Interactive login.

After signing in, if you want to change your active tenant, see How to change your active tenant.

Sign in using --scope

az login --scope https://management.core.windows.net//.default

Logout

To remove access to Azure, use the az logout command.

az logout

Clear your subscription cache

To update your subscription list, use the az account clear command. You need to sign in again to see an updated list.

az account clear

az login

Clearing your subscription cache isn't technically the same process as logging out of Azure. However, when you clear your subscription cache, you can't run Azure CLI commands, including az account set, until you sign in again.

Refresh tokens

When you sign in with a user account, Azure CLI generates and stores an authentication refresh token. Because access tokens are valid for only a short period of time, a refresh token is issued at the same time the access token is issued. The client application can then exchange this refresh token for a new access token when needed. For more information on token lifetime and expiration, see Refresh tokens in the Microsoft identity platform.

Use the az account get-access-token command to retrieve the access token:

# get access token for the active subscription
az account get-access-token

# get access token for a specific subscription
az account get-access-token --subscription "<subscription ID or name>"

Here is some additional information about access token expiration dates:

  • Expiration dates are updated in a format that is supported by MSAL-based Azure CLI.
  • Starting from Azure CLI 2.54.0, az account get-access-token returns the expires_on property alongside the expiresOn property for the token expiration time.
  • The expires_on property represents a Portable Operating System Interface (POSIX) timestamp while the expiresOn property represents a local datetime.
  • The expiresOn property doesn't express "fold" when Daylight Saving Time ends. This can cause problems in countries or regions where Daylight Saving Time is adopted. For more information on "fold", see PEP 495 – Local Time Disambiguation.
  • We recommend for downstream applications to use the expires_on property, because it uses the Universal Time Code (UTC).

Example output:

{
  "accessToken": "...",
  "expiresOn": "2023-10-31 21:59:10.000000",
  "expires_on": 1698760750,
  "subscription": "...",
  "tenant": "...",
  "tokenType": "Bearer"
}

Troubleshooting

When your default browser is Microsoft Edge, you might encounter the following error when attempting to sign in to Azure interactively with az login: "The connection for this site isn't secure." To resolve this issue, visit edge://net-internals/#hsts in Microsoft Edge. Add localhost under "Delete domain security policy" and select Delete.

See also