Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Connect-AzAccount
- Module:
- Az.Accounts Module
Connect to Azure with an authenticated account for use with cmdlets from the Az PowerShell modules.
Syntax
UserWithSubscriptionId (Default)
Connect-AzAccount
[-Environment <String>]
[-Tenant <String>]
[-AccountId <String>]
[-Subscription <String>]
[-AuthScope <String>]
[-ContextName <String>]
[-SkipContextPopulation]
[-MaxContextPopulation <Int32>]
[-UseDeviceAuthentication]
[-Force]
[-ClaimsChallenge <String>]
[-Scope <ContextModificationScope>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
ServicePrincipalWithSubscriptionId
Connect-AzAccount
-Credential <PSCredential>
-Tenant <String>
[-Environment <String>]
[-ServicePrincipal]
[-Subscription <String>]
[-AuthScope <String>]
[-ContextName <String>]
[-SkipContextPopulation]
[-MaxContextPopulation <Int32>]
[-Force]
[-Scope <ContextModificationScope>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
UserWithCredential
Connect-AzAccount
-Credential <PSCredential>
[-Environment <String>]
[-Tenant <String>]
[-Subscription <String>]
[-AuthScope <String>]
[-ContextName <String>]
[-SkipContextPopulation]
[-MaxContextPopulation <Int32>]
[-Force]
[-Scope <ContextModificationScope>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
ServicePrincipalCertificateWithSubscriptionId
Connect-AzAccount
-CertificateThumbprint <String>
-ApplicationId <String>
-Tenant <String>
[-Environment <String>]
[-ServicePrincipal]
[-Subscription <String>]
[-AuthScope <String>]
[-ContextName <String>]
[-SkipContextPopulation]
[-MaxContextPopulation <Int32>]
[-Force]
[-SendCertificateChain]
[-Scope <ContextModificationScope>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
ClientAssertionParameterSet
Connect-AzAccount
-ApplicationId <String>
-Tenant <String>
-FederatedToken <String>
[-Environment <String>]
[-ServicePrincipal]
[-Subscription <String>]
[-ContextName <String>]
[-SkipContextPopulation]
[-MaxContextPopulation <Int32>]
[-Force]
[-Scope <ContextModificationScope>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
ServicePrincipalCertificateFileWithSubscriptionId
Connect-AzAccount
-ApplicationId <String>
-Tenant <String>
-CertificatePath <String>
[-Environment <String>]
[-ServicePrincipal]
[-Subscription <String>]
[-ContextName <String>]
[-SkipContextPopulation]
[-MaxContextPopulation <Int32>]
[-Force]
[-SendCertificateChain]
[-CertificatePassword <SecureString>]
[-Scope <ContextModificationScope>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
AccessTokenWithSubscriptionId
Connect-AzAccount
-AccessToken <String>
-AccountId <String>
[-Environment <String>]
[-Tenant <String>]
[-GraphAccessToken <String>]
[-MicrosoftGraphAccessToken <String>]
[-KeyVaultAccessToken <String>]
[-Subscription <String>]
[-ContextName <String>]
[-SkipValidation]
[-SkipContextPopulation]
[-MaxContextPopulation <Int32>]
[-Force]
[-Scope <ContextModificationScope>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
ManagedServiceLogin
Connect-AzAccount
[-Environment <String>]
[-Tenant <String>]
[-AccountId <String>]
[-Identity]
[-Subscription <String>]
[-AuthScope <String>]
[-ContextName <String>]
[-SkipContextPopulation]
[-MaxContextPopulation <Int32>]
[-Force]
[-Scope <ContextModificationScope>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
The Connect-AzAccount cmdlet connects to Azure with an authenticated account for use with cmdlets
from the Az PowerShell modules. You can use this authenticated account only with Azure Resource
Manager requests. To add an authenticated account for use with Service Management, use the
Add-AzureAccount cmdlet from the Azure PowerShell module. If no context is found for the current
user, the user's context list is populated with a context for each of their first 25 subscriptions.
The list of contexts created for the user can be found by running Get-AzContext -ListAvailable. To
skip this context population, specify the SkipContextPopulation switch parameter. After
executing this cmdlet, you can disconnect from an Azure account using Disconnect-AzAccount.
Examples
Example 1: Connect to an Azure account
This example connects to an Azure account. You must provide a Microsoft account or organizational ID credentials. If multi-factor authentication is enabled for your credentials, you must log in using the interactive option or use service principal authentication.
Connect-AzAccount
Please select the account you want to login with.
Retrieving subscriptions for the selection...
[Tenant and subscription selection]
No Subscription name Subscription ID Tenant domain name
---- ------------------------------------ ---------------------------------------- --------------------------
[1] Subscription1 xxxx-xxxx-xxxx-xxxx xxxxxxxxx.xxxxxxxxxxx.com
[2] Subscription2 xxxx-xxxx-xxxx-xxxx xxxxxxxxx.xxxxxxxxxxx.com
...
[9] Subscription9 xxxx-xxxx-xxxx-xxxx xxxxxxxxx.xxxxxxxxxxx.com
Select a tenant and subscription: 1 <requires user's input here>
Subscription name Tenant domain name
------------------------------------ --------------------------
Subscription1 xxxxxxxxx.xxxxxxxxxxx.com
[Announcements]
Share your feedback regarding your experience with `Connect-AzAccount` at: https://aka.ms/azloginfeedback
If you encounter any problem, please open an issue at: https://aka.ms/azpsissue
SubscriptionName Tenant
----------------- ------
Subscription1 xxxxxxxxx.xxxxxxxxxxx.com
Example 2: Connect to Azure using organizational ID credentials
This scenario works only when the user does not have multi-factor auth turned on. The first command
prompts for user credentials and stores them in the $Credential variable. The second command
connects to an Azure account using the credentials stored in $Credential. This account
authenticates with Azure using organizational ID credentials.
$Credential = Get-Credential
Connect-AzAccount -Credential $Credential
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
azureuser@contoso.com Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloud
Example 3: Connect to Azure using a service principal account
This command stores the service principal credentials in the $Credential variable. Then, it
connects to the specified Azure tenant using the service principal credentials stored in the
$Credential variable. The ServicePrincipal switch parameter indicates that the account
authenticates as a service principal.
$SecurePassword = Read-Host -Prompt 'Enter a Password' -AsSecureString
$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'
$ApplicationId = 'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzz'
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecurePassword
Connect-AzAccount -ServicePrincipal -TenantId $TenantId -Credential $Credential
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
xxxx-xxxx-xxxx-xxxx Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloud
Example 4: Use an interactive login to connect to a specific tenant and subscription
This example connects to an Azure account with the specified tenant and subscription.
Connect-AzAccount -Tenant 'xxxx-xxxx-xxxx-xxxx' -SubscriptionId 'yyyy-yyyy-yyyy-yyyy'
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
azureuser@contoso.com Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloud
Example 5: Connect using a Managed Service Identity
This example connects using a system-assigned Managed Service Identity (MSI) of the host environment. For example, you sign into Azure from a virtual machine that has an assigned MSI.
Connect-AzAccount -Identity
Set-AzContext -Subscription Subscription1
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
MSI@50342 Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloud
Example 6: Connect using Managed Service Identity login and ClientId
This example connects using the Managed Service Identity of myUserAssignedIdentity. It adds the user assigned identity to the virtual machine, then connects using the ClientId of the user assigned identity. For more information, see Configure managed identities for Azure resources on an Azure VM.
$identity = Get-AzUserAssignedIdentity -ResourceGroupName 'myResourceGroup' -Name 'myUserAssignedIdentity'
Get-AzVM -ResourceGroupName contoso -Name testvm | Update-AzVM -IdentityType UserAssigned -IdentityId $identity.Id
Connect-AzAccount -Identity -AccountId $identity.ClientId # Run on the virtual machine
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
yyyy-yyyy-yyyy-yyyy Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloud
Example 7: Connect using certificates
This example connects to an Azure account using certificate-based service principal authentication. The service principal used for authentication must be created with the specified certificate. For more information on creating a self-signed certificates and assigning them permissions, see Use Azure PowerShell to create a service principal with a certificate
$Thumbprint = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'
$ApplicationId = '00000000-0000-0000-0000-00000000'
Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ApplicationId -Tenant $TenantId -ServicePrincipal
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
xxxxxxxx-xxxx-xxxx-xxxxxxxxx Subscription1 yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy AzureCloud
Account : xxxxxxxx-xxxx-xxxx-xxxxxxxx
SubscriptionName : MyTestSubscription
SubscriptionId : zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzz
TenantId : yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy
Environment : AzureCloud
Example 8: Connect with AuthScope
AuthScope is used to support scenario that data plane resources have enhanced authentication than ARM resources, e.g. storage needs MFA but ARM does not.
Once AuthScope is specified, e.g. Storage, Connect-AzAccount will first login with storage scope https://storage.azure.com/, then silently require token for ARM.
Connect-AzAccount -AuthScope Storage
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
yyyy-yyyy-yyyy-yyyy Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloud
Example 9: Connect using certificate file
This example connects to an Azure account using certificate-based service principal authentication.
The certificate file, which is specified by CertificatePath, should contains both certificate and private key as the input.
$SecurePassword = ConvertTo-SecureString -String "****" -AsPlainText -Force
$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'
$ApplicationId = 'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzz'
Connect-AzAccount -ServicePrincipal -ApplicationId $ApplicationId -TenantId $TenantId -CertificatePath './certificatefortest.pfx' -CertificatePassword $SecurePassword
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
xxxxxxxx-xxxx-xxxx-xxxxxxxx Subscription1 yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy AzureCloud
Example 10: Connect interactively using WAM
This example demonstrates how to enable the config for WAM (Web Account Manager) and use it to connect to Azure.
Update-AzConfig -EnableLoginByWam $true
Connect-AzAccount
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
xxxxxxxx-xxxx-xxxx-xxxxxxxx Subscription1 yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy AzureCloud
Example 11: Connect with claims challenge
This example demonstrates how to connect using a claims challenge token. This is useful when you receive a claims challenge during authentication, typically when additional authentication factors are required due to conditional access policies.
Connect-AzAccount -Tenant yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy -Subscription zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzz -ClaimsChallenge eyJhY2Nlc3NfdG9rZW4iOnsiYWNycyI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlcyI6WyJwMSJdfX19
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
xxxxxxxx-xxxx-xxxx-xxxxxxxx Subscription1 yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy AzureCloud
Parameters
-AccessToken
Specifies an access token.
Caution
Access tokens are a type of credential. You should take the appropriate security precautions to keep them confidential. Access tokens also timeout and may prevent long running tasks from completing.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-AccountId
Id for Account, associated with your access token. In User authentication flows, the AccountId is user name / user id; In AccessToken flow, it is the AccountId for the access token; In ManagedService flow, it is the associated client Id of UserAssigned identity. To use the SystemAssigned identity, leave this field blank.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-ApplicationId
Application ID of the service principal.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-AuthScope
Optional OAuth scope for login, supported pre-defined values: AadGraph, AnalysisServices, Attestation, Batch, DataLake, KeyVault, OperationalInsights, Storage, Synapse. It also supports resource id like https://storage.azure.com/.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | AuthScopeTypeName |
Parameter sets
-CertificatePassword
The password required to access the pkcs#12 certificate file.
Parameter properties
| Type: | SecureString |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-CertificatePath
The path of certificate file in pkcs#12 format.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-CertificateThumbprint
Certificate Hash or Thumbprint.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-ClaimsChallenge
Specifies the claims challenge with base64 encoding.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
| Type: | SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | cf |
Parameter sets
-ContextName
Name of the default Azure context for this login. For more information about Azure contexts, see Azure PowerShell context objects.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Credential
Specifies a PSCredential object. For more information about the PSCredential object, type
Get-Help Get-Credential. The PSCredential object provides the user ID and password for
organizational ID credentials, or the application ID and secret for service principal credentials.
Parameter properties
| Type: | PSCredential |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Parameter properties
| Type: | IAzureContextContainer |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
Parameter sets
-Environment
Environment containing the Azure account.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | EnvironmentName |
Parameter sets
-FederatedToken
Specifies a token provided by another identity provider. The issuer and subject in this token must be first configured to be trusted by the ApplicationId.
Caution
Federated tokens are a type of credential. You should take the appropriate security precautions to keep them confidential. Federated tokens also timeout and may prevent long running tasks from completing.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | ClientAssertion |
Parameter sets
-Force
Overwrite the existing context with the same name without prompting.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-GraphAccessToken
AccessToken for Graph Service.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Identity
Login using a Managed Service Identity.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | MSI, ManagedService |
Parameter sets
-KeyVaultAccessToken
AccessToken for KeyVault Service.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-MaxContextPopulation
Max subscription number to populate contexts after login. Default is 25. To populate all subscriptions to contexts, set to -1.
Parameter properties
| Type: | Int32 |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-MicrosoftGraphAccessToken
Access token to Microsoft Graph
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Scope
Determines the scope of context changes, for example, whether changes apply only to the current process, or to all sessions started by this user.
Parameter properties
| Type: | ContextModificationScope |
| Default value: | None |
| Accepted values: | Process, CurrentUser |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-SendCertificateChain
Specifies if the x5c claim (public key of the certificate) should be sent to the STS to achieve easy certificate rollover in Azure AD.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-ServicePrincipal
Indicates that this account authenticates by providing service principal credentials.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-SkipContextPopulation
Skips context population if no contexts are found.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-SkipValidation
Skip validation for access token.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Subscription
Subscription Name or ID.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | SubscriptionName, SubscriptionId |
Parameter sets
-Tenant
Optional tenant name or ID.
Note
Due to limitations of the current API, you must use a tenant ID instead of a tenant name when connecting with a business-to-business (B2B) account.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Domain, TenantId |
Parameter sets
-UseDeviceAuthentication
Use device code authentication instead of a browser control.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | DeviceCode, DeviceAuth, Device |
Parameter sets
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Parameter properties
| Type: | SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | wi |
Parameter sets
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
String
Outputs
PSAzureProfile
Azure PowerShell
Feedback
Was this page helpful?