The Connect-AzAccount cmdlet connects to Azure with an authenticated account for use with cmdlets
from the Az PowerShell modules. You can use this authenticated account only with Azure Resource
Manager requests. To add an authenticated account for use with Service Management, use the
Add-AzureAccount cmdlet from the Azure PowerShell module. If no context is found for the current
user, the user's context list is populated with a context for each of their first 25 subscriptions.
The list of contexts created for the user can be found by running Get-AzContext -ListAvailable. To
skip this context population, specify the SkipContextPopulation switch parameter. After
executing this cmdlet, you can disconnect from an Azure account using Disconnect-AzAccount.
Examples
Example 1: Connect to an Azure account
This example connects to an Azure account. You must provide a Microsoft account or organizational ID
credentials. If multi-factor authentication is enabled for your credentials, you must log in using
the interactive option or use service principal authentication.
Connect-AzAccount
Please select the account you want to login with.
Retrieving subscriptions for the selection...
[Tenant and subscription selection]
No Subscription name Subscription ID Tenant ___domain name
---- ------------------------------------ ---------------------------------------- --------------------------
[1] Subscription1 xxxx-xxxx-xxxx-xxxx xxxxxxxxx.xxxxxxxxxxx.com
[2] Subscription2 xxxx-xxxx-xxxx-xxxx xxxxxxxxx.xxxxxxxxxxx.com
...
[9] Subscription9 xxxx-xxxx-xxxx-xxxx xxxxxxxxx.xxxxxxxxxxx.com
Select a tenant and subscription: 1 <requires user's input here>
Subscription name Tenant ___domain name
------------------------------------ --------------------------
Subscription1 xxxxxxxxx.xxxxxxxxxxx.com
[Announcements]
Share your feedback regarding your experience with `Connect-AzAccount` at: https://aka.ms/azloginfeedback
If you encounter any problem, please open an issue at: https://aka.ms/azpsissue
SubscriptionName Tenant
----------------- ------
Subscription1 xxxxxxxxx.xxxxxxxxxxx.com
Example 2: Connect to Azure using organizational ID credentials
This scenario works only when the user does not have multi-factor auth turned on. The first command
prompts for user credentials and stores them in the $Credential variable. The second command
connects to an Azure account using the credentials stored in $Credential. This account
authenticates with Azure using organizational ID credentials.
Example 3: Connect to Azure using a service principal account
This command stores the service principal credentials in the $Credential variable. Then, it
connects to the specified Azure tenant using the service principal credentials stored in the
$Credential variable. The ServicePrincipal switch parameter indicates that the account
authenticates as a service principal.
Example 5: Connect using a Managed Service Identity
This example connects using a system-assigned Managed Service Identity (MSI) of the host
environment. For example, you sign into Azure from a virtual machine that has an assigned MSI.
Example 6: Connect using Managed Service Identity login and ClientId
This example connects using the Managed Service Identity of myUserAssignedIdentity. It adds the
user assigned identity to the virtual machine, then connects using the ClientId of the user assigned
identity. For more information, see
Configure managed identities for Azure resources on an Azure VM.
$identity = Get-AzUserAssignedIdentity -ResourceGroupName 'myResourceGroup' -Name 'myUserAssignedIdentity'
Get-AzVM -ResourceGroupName contoso -Name testvm | Update-AzVM -IdentityType UserAssigned -IdentityId $identity.Id
Connect-AzAccount -Identity -AccountId $identity.ClientId # Run on the virtual machine
This example connects to an Azure account using certificate-based service principal authentication.
The service principal used for authentication must be created with the specified certificate. For
more information on creating a self-signed certificates and assigning them permissions, see
Use Azure PowerShell to create a service principal with a certificate
AuthScope is used to support scenario that data plane resources have enhanced authentication than ARM resources, e.g. storage needs MFA but ARM does not.
Once AuthScope is specified, e.g. Storage, Connect-AzAccount will first login with storage scope https://storage.azure.com/, then silently require token for ARM.
This example connects to an Azure account using certificate-based service principal authentication.
The certificate file, which is specified by CertificatePath, should contains both certificate and private key as the input.
Access tokens are a type of credential. You should take the appropriate security precautions to
keep them confidential. Access tokens also timeout and may prevent long running tasks from
completing.
Id for Account, associated with your access token.
In User authentication flows, the AccountId is user name / user id; In AccessToken flow, it is the AccountId for the access token; In ManagedService flow, it is the associated client Id of UserAssigned identity. To use the SystemAssigned identity, leave this field blank.
Optional OAuth scope for login, supported pre-defined values: AadGraph, AnalysisServices, Attestation, Batch, DataLake, KeyVault, OperationalInsights, Storage, Synapse. It also supports resource id like https://storage.azure.com/.
Specifies a PSCredential object. For more information about the PSCredential object, type
Get-Help Get-Credential. The PSCredential object provides the user ID and password for
organizational ID credentials, or the application ID and secret for service principal credentials.
Specifies a token provided by another identity provider. The issuer and subject in this token must be first configured to be trusted by the ApplicationId.
Caution
Federated tokens are a type of credential. You should take the appropriate security precautions to keep them confidential. Federated tokens also timeout and may prevent long running tasks from completing.
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters.
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.