LinuxCommandLibrary

az-login

Authenticate to Azure

TLDR

Log in interactively

$ az login
copy

Log in with a service principal using a client secret
$ az login --service-principal [[-u|--username]] [http://azure-cli-service-principal] [[-p|--password]] [secret] [[-t|--tenant]] [someone.onmicrosoft.com]
copy

Log in with a service principal using a client certificate
$ az login --service-principal [[-u|--username]] [http://azure-cli-service-principal] [[-p|--password]] [path/to/cert.pem] [[-t|--tenant]] [someone.onmicrosoft.com]
copy

Log in using a VM's system assigned identity
$ az login [[-i|--identity]]
copy

Log in using a VM's user assigned identity
$ az login [[-i|--identity]] [[-u|--username]] /subscriptions/[subscription_id]/resourcegroups/[my_rg]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[my_id]
copy

SYNOPSIS

az login [--allow-no-subscriptions] [--service-principal] [--tenant TENANT] [--use-device-code] [--username USERNAME] [--output TYPE] [--query JMESPATH]

PARAMETERS

--allow-no-subscriptions
    Log in even without accessible subscriptions

--service-principal
    Authenticate via service principal (prompts for client ID/secret/tenant)

--tenant
    Azure AD tenant ID or domain name

--use-device-code
    Use device code flow for headless login

--username
    Account username for interactive login

--output
    Output format (json, table, etc.)

--query
    JMESPath query string for output filtering

DESCRIPTION

The az login command authenticates a user, service principal, or managed identity with Azure Active Directory (Azure AD) to access Azure resources via the Azure CLI. It is the primary entry point for interactive or automated logins.

By default, it launches a browser for interactive sign-in, where users enter credentials on azurecli.net. For headless environments, --use-device-code provides a device code to enter on another device. Service principals enable non-interactive automation with client ID, secret, and tenant details. Managed identities simplify authentication in Azure-hosted apps.

Post-login, the CLI stores access tokens in ~/.azure/accessTokens.json and profiles in ~/.azure/profiles/default. List accounts with az account list. Tokens auto-refresh until expiry (typically 1 hour), prompting re-authentication as needed. Supports multi-tenant logins and subscription scoping.

Essential for all subsequent az commands requiring authorization, ensuring secure, CLI-based Azure management.

CAVEATS

Tokens expire (reauth needed); browser popup may fail in restricted networks; service principal requires app registration; multi-account logins need az account commands to switch.

BASIC EXAMPLES

az login
az login --use-device-code
az login --service-principal -u APP_ID -p SECRET --tenant TENANT_ID

TOKEN LOCATION

Tokens stored in ~/.azure/; clear with az account clear or rm -rf ~/.azure

HISTORY

Introduced in Azure CLI 2.0 (2018) replacing older ACME CLI; evolved with AAD v2 endpoints, managed identities (2019+), and device code support for better headless use.

SEE ALSO

az logout(1), az account list(1), az account set(1)

Copied to clipboard