azure powershell supports multiple authentication methods. The easiest way to get started is with the Azure Cloud Shell, which automatically signs you in. with a local installation, you can log in interactively through your browser. When writing scripts for automation, the recommended approach is to use a service principal with the necessary permissions. when you restrict login permissions as much as possible for your use case, you help keep your azure resources secure.
Initially, you sign in to the first subscription returned by Azure if you have access to more than one subscription. commands run under this subscription by default. To change your active subscription for a session, use the set-azcontext cmdlet. To change your active subscription and have it persist between sessions on the same system, use the select-azcontext cmdlet.
Reading: How to connect to azure powershell
To log in interactively, use the connect-azaccount cmdlet.
This cmdlet presents an interactive browser-based login prompt by default.
use the get-azcontext cmdlet to store your id. tenant in a variable that will be used in the next two sections of this article.
device code authentication
You can specify the usedeviceauthentication parameter to use device code authentication instead of a browser control.
log in with a service principal
service principals are non-interactive azure accounts. Like other user accounts, your permissions are managed by the Azure Active Directory. By giving a service principal only the permissions it needs, your automation scripts stay secure.
for information on how to create a service principal for use with azure powershell, see create an azure service principal with azure powershell.
To sign in with a service principal, use the serviceprincipal parameter of the connect-azaccount cmdlet. You’ll also need the service principal’s application ID, login credentials, and the tenant ID associated with the service principal. How you log in with a service principal depends on whether it’s configured for password-based or certificate-based authentication.
Create a service principal to use in the examples in this section. For more information on how to create service principals, see Create an Azure Service Principal with Azure PowerShell.
To get the service principal credentials as the appropriate object, use the get-credential cmdlet. this cmdlet presents a request for username and password. use the service principal’s applicationid for the username and convert its secret to plain text for the password.
for automation scenarios, you should create credentials from the application id and secret text of a service principal:
Be sure to use good password storage practices when automating the main service connections.
Certificate-based authentication requires that Azure PowerShell be able to retrieve information from a local certificate store based on a certificate thumbprint.
When using a service principal instead of a registered application, specify the serviceprincipal parameter and provide the application identification of the service principal as the value of the -applicationid parameter.
In powershell 5.1, the certificate store can be managed and inspected with the pki module. for powershell 6.x and later, the process is more complicated. The following scripts show you how to import an existing certificate into the certificate store accessible via powershell.
import a certificate in powershell 5.1
import a certificate in powershell core 6.x and later
log in with a managed identity
managed identities is a feature of azure active directory. managed identities are service principals assigned to resources running on azure. you can use a managed identity service principal to sign in and acquire an app-only access token to access other resources. managed identities are only available on resources running in a blue cloud.
This example connects using the managed identity of the host environment. for example, if running on a virtual machine with a managed service identity assigned, this allows the code to log in with that identity assigned.
This example connects using the managed service identity of myuserassignedidentity. adds the user-assigned identity to the virtual machine, then connects using the client id of the user-assigned identity. For more information, see configure managed identities for azure resources on an azure virtual machine.
log in with a non-default tenant or as a cloud solution provider (csp)
If your account is associated with more than one tenant, the login requires the tenant parameter to be specified when connecting. this parameter works with any login method. when logging in, the value of this parameter can be the id. tenant’s blue object ID (tenant ID) or the tenant’s fully qualified domain name.
if you are a cloud solution provider (csp), the value of the tenant parameter must be a tenant id.
log in to another cloud
Azure cloud services offer environments that comply with regional data handling laws. for accounts in a regional cloud, set the environment when you sign in with the environment parameter. this parameter works with any login method. for example, if your account is in azure china 21vianet:
The following command gets a list of available environments: