- Article
Interactive logins to Azure offer a more intuitive and flexible user experience. Interactive loginwith Azure CLI allows users to authenticate to Azure directly through the az logincommand, which is useful for ad-hoc management tasks and for environments that require manualsign-in, such as those customers with multi-factor authentication (MFA). This method simplifiesaccess for script testing, learning, and on-the-fly management without needing to preconfigureservice principals or other noninteractive authentication methods.
Prerequisites
- Install the Azure CLI
Interactive login
To sign in interactively, use the az login command. Beginningwith Azure CLI version 2.61.0, Azure CLI uses Web Account Manager (WAM) on Windows, and a browser-based login on Linux and macOS by default.
az login
Subscription selector
Beginning with Azure CLI version 2.61.0, if you haveaccess to multiple subscriptions, you're prompted to select an Azure subscription at time of login,as shown in the following example.
Retrieving subscriptions for the selection...[Tenant and subscription selection]No Subscription name Subscription ID Tenant name---- ------------------------------------ ---------------------------------------- --------------[1] Facility Services Subscription 00000000-0000-0000-0000-000000000000 Contoso[2] Finance Department Subscription 00000000-0000-0000-0000-000000000000 Contoso[3] Human Resources Subscription 00000000-0000-0000-0000-000000000000 Contoso[4] * Information Technology Subscription 00000000-0000-0000-0000-000000000000 ContosoThe default is marked with an *; the default tenant is 'Contoso' and subscription is'Information Technology Subscription' (00000000-0000-0000-0000-000000000000).Select a subscription and tenant (Type a number or Enter for no changes): 2Tenant: ContosoSubscription: Finance Department Subscription (00000000-0000-0000-0000-000000000000)[Announcements]With the new Azure CLI login experience, you can select the subscription you want to use more easily.Learn more about it and its configuration at https://go.microsoft.com/fwlink/?linkid=2271236If you encounter any problem, please open an issue at https://aka.ms/azclibug
The next time you login, the previously selected tenant and subscription is marked as the defaultwith an asterisk (*
) next to its number. This allows you to press Enter to select thedefault subscription.
Commands run against the selected subscription by default. You can still use az account set
tochange your subscription from a command line at any time. For more information,see How to manage Azure subscriptions with the Azure CLI.
Here are some guidelines about the subscription selector to keep in mind:
- The subscription selector is only available in 64-bit Windows, Linux, or macOS.
- The subscription selector is only available when using the
az login
command. - You aren't prompted to select a subscription when you're logging in with a service principal or managed identity.
If want to disable the subscription selector feature, set thecore.login_experience_v2 configuration property to off
.
az config set core.login_experience_v2=offaz login
Sign in with Web Account Manager (WAM) on Windows
Beginning with Azure CLI version 2.61.0, Web AccountManager (WAM) is now the default authentication method on Windows. WAM is a Windows 10+ componentthat acts as an authentication broker. (An authentication broker is an application that runs on auser’s machine that manages the authentication handshakes and token maintenance for connectedaccounts.)
Using WAM has several benefits:
- Enhanced security. See Conditional Access: Token protection (preview).
- Support for Windows Hello, conditional access policies, and FIDO keys.
- Streamlined single sign-on.
- Bug fixes and enhancements shipped with Windows.
If you encounter an issue and want to revert to the previous browser-based authentication method,set the core.enable_broker_on_windows configuration property to false
.
az account clearaz config set core.enable_broker_on_windows=falseaz login
WAM is available on Windows 10 and later, and on Windows Server 2019 and later.
Sign in with a browser
The Azure CLI defaults to a browser-based authentication method when one of the following is true:
- The operating system (OS) is Mac, or Linux, or the Windows OS is earlier than Windows 10 or Windows Server 2019.
- The
core.enable_broker_on_windows
configuration property is set tofalse
.
Follow these steps to sign in with a browser:
Run the
az login
command.az login
If the Azure CLI can open your default browser, it initiates authorization code flow and opens the default browser to load an Azure sign-in page.
Otherwise, it initiates the device code flow and instructs you to open a browser page at https://aka.ms/devicelogin. Then, enter the code displayed in your terminal.
If no web browser is available or the web browser fails to open, you may force device code flow with az login --use-device-code.
Sign in with your account credentials in the browser.
Sign in with credentials on the command line
Provide your Azure user credentials on the command line. Only use this authentication method forlearning Azure CLI commands. Production-level applications should use a service principal or managedidentity.
This approach doesn't work with Microsoft accounts or accounts that have two-factor authenticationenabled. You receive an interactive authentication is needed message.
az login --user <username> --password <password>
Important
If you want to avoid displaying your password on console and are using az login
interactively,use the read -s
command under bash
.
read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS
Under PowerShell, use the Get-Credential
cmdlet.
$AzCred = Get-Credential -UserName <username>az login -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password
Sign in with a different tenant
You can select a tenant to sign in under with the --tenant
argument. The value of this argumentcan either be an .onmicrosoft.com
domain or the Azure object ID for the tenant. Both interactiveand command-line sign-in methods work with --tenant
.
In select environments and beginning in Azure CLI version 2.61.0,you need to first disable the subscription selector by setting the core.login_experience_v2
configuration property to off
.
# disable the subscription selector (v. 2.61.0 and up)az config set core.login_experience_v2=off# login with a tenant IDaz login --tenant 00000000-0000-0000-0000-000000000000
To reenable the subscription selector, run az config set core.login_experience_v2=on
. For more information on the subscription selector, see Interactive login
After signing in, if you want to change your active tenant,see How-to change your active tenant.
Sign in using --scope
az login --scope https://management.core.windows.net//.default
Multi-factor authentication (MFA)
Microsoft announced in May, 2024, that it will require MFA for all Azure users. For information on how to plan for this change, see Planning for mandatory multifactor authentication for Azure and other admin portals.
MFA will only impact Microsoft Entra ID users. It will not impact service principals or managed identities.
Logout
To remove access to Azure, use the az logout command.
az logout
Clear your subscription cache
To update your subscription list, use the az account clearcommand. You will need to sign in again to see an updated list.
az account clearaz login
Clearing your subscription cache is not technically the same process as logging out of Azure.However, when you clear your subscription cache, you cannot run Azure CLI commands, includingaz account set
, until you sign in again.
Refresh tokens
When you sign in with a user account, Azure CLI generates and stores an authentication refresh token. Because access tokens are valid for only a short period of time, a refresh token is issued at the same time the access token is issued. The client application can then exchange this refresh token for a new access token when needed. For more information on token lifetime and expiration, see Refresh tokens in the Microsoft identity platform.
Use the az account get-access-token command to retrieve the access token:
# get access token for the active subscriptionaz account get-access-token# get access token for a specific subscriptionaz account get-access-token --subscription "<subscription ID or name>"
Here is some additional information about access token expiration dates:
- Expiration dates are updated in a format that is supported by MSAL-based Azure CLI.
- Starting from Azure CLI 2.54.0,
az account get-access-token
returns theexpires_on
property alongside theexpiresOn
property for the token expiration time. - The
expires_on
property represents a Portable Operating System Interface (POSIX) timestamp while theexpiresOn
property represents a local datetime. - The
expiresOn
property doesn't express "fold" when Daylight Saving Time ends. This can cause problems in countries or regions where Daylight Saving Time is adopted. For more information on "fold", see PEP 495 – Local Time Disambiguation. - We recommend for downstream applications to use the
expires_on
property, because it uses the Universal Time Code (UTC).
Example output:
{ "accessToken": "...", "expiresOn": "2023-10-31 21:59:10.000000", "expires_on": 1698760750, "subscription": "...", "tenant": "...", "tokenType": "Bearer"}
Troubleshooting
When your default browser is Microsoft Edge, you might encounter the following error when attemptingto sign in to Azure interactively with az login
: "The connection for this site isn't secure." Toresolve this issue, visit edge://net-internals/#hsts in Microsoft
Edge. Add localhost
under "Delete domain security policy" and select Delete.
See also
- Azure CLI Onboarding cheat sheet
- Find Azure CLI samples and published docs