az-login

Log in interactively

$ az login

$ az login --service-principal [[-u|--username]] [http://azure-cli-service-principal] [[-p|--password]] [secret] --tenant [someone.onmicrosoft.com]

$ az login --service-principal [[-u|--username]] [http://azure-cli-service-principal] [[-p|--password]] [path/to/cert.pem] [[-t|--tenant]] [someone.onmicrosoft.com]

$ az login [[-i|--identity]]

$ az login [[-i|--identity]] [[-u|--username]] /subscriptions/[subscription_id]/resourcegroups/[my_rg]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[my_id]

az login [authentication_options] [global_options]

--service-principal
    Use a service principal for authentication. Requires --username (App ID) and --password (secret or certificate path).

--username -u
    Username (email), service principal client ID, or managed identity client ID.

--password -p
    User password, service principal secret, or path to certificate file.

--tenant -t
    The tenant ID for login. Useful for organizations with multiple tenants.

--allow-no-subscriptions
    Allow login even if the account has no associated subscriptions.

--msi
    Use Managed Service Identity for authentication. Typically used on Azure VMs or resources.

--federated-token
    Use a federated token for Workload Identity authentication.

--scope
    Specify the OAuth 2.0 permissions scope.

--only-show-errors
    Suppress warnings and only display errors.

While az-login is not a standard standalone Linux command, it is commonly used as an alias or refers to the az login command within the Azure Command-Line Interface (Azure CLI).

The az login command is the primary method for authenticating your Azure CLI session to interact with Azure resources. It allows you to sign in to Azure, manage your subscriptions, and execute various Azure CLI commands. By default, it initiates an interactive browser-based authentication flow, prompting you to open a URL and enter a device code, or directly redirects you to a browser for sign-in. Once authenticated, the Azure CLI caches your credentials, allowing subsequent commands to run without re-authentication until the token expires or is explicitly logged out. The command supports various authentication methods tailored for different scenarios, including interactive user login, service principals for automation, and managed identities for Azure resources.

Interactive browser login is the default and generally recommended for human users, especially with Multi-Factor Authentication (MFA).
For automation (CI/CD pipelines), service principal authentication is preferred over username/password for security.
Avoid hardcoding passwords directly in scripts; use environment variables or secure key vaults.
Token caching means you don't need to run az login before every command, but re-authentication is required periodically or after token expiration.

az login supports several authentication flows:
1. Interactive (Browser): Default, opens a browser for authentication.
2. Device Code Flow: Provides a code to enter on a separate device/browser.
3. Service Principal: For non-interactive scripting, using an application ID and secret/certificate.
4. Managed Identity (MSI): For applications running on Azure services.
5. Workload Identity: Using federated tokens, e.g., in Kubernetes.

Upon successful login, Azure CLI caches an access token and refresh token. This token is used for subsequent Azure CLI commands, eliminating the need to re-authenticate for a set period. The token is stored securely in a local cache directory (e.g., ~/.azure/ in Linux).

The Azure CLI, and consequently its login command, has undergone significant evolution. Initially, Azure resources were managed via the Azure Service Management (ASM) CLI (azure login). With the advent of Azure Resource Manager (ARM), the modern cross-platform Azure CLI (az login) was introduced, providing a consistent and powerful interface for managing ARM resources. The command has continuously added support for new authentication methods, such as Managed Identities and Workload Identities, to cater to diverse enterprise and automation needs, reflecting the evolving security landscape of cloud computing.

az logout, az account show, az account list, az account set, az ad sp create-for-rbac