- Article
Interactive logins to Azure offer a more intuitive and flexible user experience. Interactive loginwith Azure PowerShell allows users to authenticate to Azure directly through the PowerShellinterface, which is useful for ad-hoc management tasks and for environments that require manualsign-in, such as those with multifactor authentication (MFA). This method simplifies access forscript testing, learning, and on-the-fly management without needing to preconfigure serviceprincipals or other noninteractive authentication methods.
Prerequisites
- Install the latest version of the Az PowerShell module.
Interactive login
To sign in interactively, use the Connect-AzAccount
cmdlet. Beginning with Az PowerShell moduleversion 12.0.0, Windows systems use Web Account Manager (WAM), and Linux and macOS systems usebrowser-based login by default.
Connect-AzAccount
- To learn more about WAM, see Web Account Manager (WAM)
- To learn more about browser-based login, see Browser-based login
Login experience
Beginning with Az PowerShell module version 12.0.0, if you have access to multiple subscriptions,you're prompted to select an Azure subscription to login with, as shown in the following example.
Please select the account you want to login with.Retrieving subscriptions for the selection...WARNING: To override which subscription Connect-AzAccount selects by default, use`Update-AzConfig -DefaultSubscriptionForLogin 00000000-0000-0000-0000-000000000000`.Go to https://go.microsoft.com/fwlink/?linkid=2200610 for more information.[Tenant and subscription selection]No Subscription name Subscription ID Tenant name---- ------------------------------------ ---------------------------------------- --------------[1] Facility Services Subscription 00000000-0000-0000-0000-000000000000 Contoso[2] Finance Department Subscription 00000000-0000-0000-0000-000000000000 Contoso[3] Human Resources Subscription 00000000-0000-0000-0000-000000000000 Contoso[4] Information Technology Subscription 00000000-0000-0000-0000-000000000000 ContosoSelect a tenant and subscription: 2Subscription name Tenant name------------------------------------ --------------------------Finance Department Subscription Contoso[Announcements]With the new Azure PowerShell login experience, you can select the subscription you want to use more easily.Learn more about it and its configuration at https://go.microsoft.com/fwlink/?linkid=2271236.Share your feedback regarding your experience with `Connect-AzAccount` at: https://aka.ms/azloginfeedbackIf you encounter any problem, please open an issue at: https://aka.ms/azpsissueSubscription name Tenant----------------- ------Finance Department Subscription Contoso
The next time you login, the previously selected tenant and subscription is marked as the defaultwith an asterisk (*
) next to its number and highlighted in a cyan blue color. This allows you topress Enter to select the default or type a number to select a different tenant andsubscription.
No Subscription name Subscription ID Tenant name---- ------------------------------------ ---------------------------------------- --------------[1] Facility Services Subscription 00000000-0000-0000-0000-000000000000 Contoso[2] * Finance Department Subscription 00000000-0000-0000-0000-000000000000 Contoso[3] Human Resources Subscription 00000000-0000-0000-0000-000000000000 Contoso[4] Information Technology Subscription 00000000-0000-0000-0000-000000000000 ContosoThe default is marked with an *; the default tenant is 'Contoso' and subscription is'Finance Department Subscription (00000000-0000-0000-0000-000000000000)'.Select a tenant and subscription (type a number or Enter to accept default): 4Subscription name Tenant name------------------------------------ --------------------------Information Technology Subscription Contoso
Commands run against this subscription by default. To change your active subscription, use theSet-AzContext
cmdlet. For more information, seeAzure PowerShell context objects.
Configure your default subscription for login
To prevent being prompted to select a subscription each time you log in interactively, use theUpdate-AzConfig
cmdlet to set your default subscription, as shown in the following example.
Update-AzConfig -DefaultSubscriptionForLogin '<subscription name or id>'
Disable the new login experience
To disable the new login experience, use the Update-AzConfig
cmdlet, as shown in the followingexample.
Update-AzConfig -LoginExperienceV2 Off
When the new login experience is disabled and you have access to multiple subscriptions, you'resigned in to the first subscription Azure returns. Commands run against this subscription bydefault. To change your active subscription for a session, use the Set-AzContext
cmdlet. To changeyour active subscription and have it persist between sessions on the same system, use theSelect-AzContext
cmdlet.
Web Account Manager (WAM)
Beginning with Az PowerShell module version 12.0.0, Azure PowerShell's default login authenticationmethod for Windows-based systems is Web Account Manager (WAM).
WAM is a Windows 10+ component that acts as an authentication broker. An authentication broker is anapplication that runs on your system that manages the authentication handshakes and tokenmaintenance for connected accounts.
Benefits of WAM
Using WAM offers several benefits:
- Enhanced security. SeeConditional Access: Token protection (preview).
- Support for Windows Hello, conditional access policies, and FIDO keys.
- Streamlined single sign-on.
- Bug fixes and enhancements shipped with Windows.
Limitations of WAM
At the current stage of development, there are a few known limitations to WAM:
WAM is available on Windows 10 and later and on Windows Server 2019 and later. On Linux, macOS,and earlier versions of Windows, Azure PowerShell automatically defaults to browser-based login.
Using WAM to log in to national clouds isn't currently supported.
Microsoft Accounts (for example, @outlook.com or @live.com) must specify the Tenant parameterwhen used with MFA.
Connect-AzAccount -Tenant 00000000-0000-0000-0000-000000000000
Disable WAM
To use browser-based login on Windows 10 and later or on Windows Server 2019 and later with Az12.0.0 and higher, you must disable WAM for use with Azure PowerShell. Use the following command todisable WAM and return to browser-based login, the default before Az 12.0.0.
Update-AzConfig -EnableLoginByWam $false
Browser-based login
Browser-based login is the default interactive login for Linux, macOS, and Windows systems olderthan Windows 10 or Windows Server 2019. Beginning with Az PowerShell module version 12.0.0, you mustdisable WAM for Azure PowerShell to use browser-based login on Windows-basedsystems, which was the default before Az 12.0.0.
When you sign in interactively with the Connect-AzAccount
cmdlet, browser-based login opens thedefault web browser to load an Azure sign-in page. Sign in with your Azure account credentials inthe browser.
If Azure PowerShell can open your default browser, it initiatesauthorization code flow and opens the default browser to load an Azuresign-in page. Otherwise, it initiates device code flow, which instructs you toopen a browser page at microsoft.com/devicelogin and enter the code displayed inyour PowerShell session.
Device code authentication
If Web Account Manager or a web browser is unavailable or it fails to open, you can force devicecode flow by specifying the UseDeviceAuthentication parameter.
Connect-AzAccount -UseDeviceAuthentication
Sign in to a different tenant
If your account is associated with more than one tenant, sign-in requires the Tenant parameterto be specified when connecting. This parameter works with any sign-in method. When logging in, thisparameter value can either be the Azure object ID of the tenant (Tenant ID) or the fully qualifieddomain name of the tenant.
Connect-AzAccount -Tenant 00000000-0000-0000-0000-000000000000
Sign in to a national cloud
National clouds (also known as sovereign clouds) are physically isolated instances of Azure designedto ensure data residency, sovereignty, and compliance requirements are honored within geographicalboundaries. For accounts in a national cloud, set the environment when you sign in using theEnvironment parameter. This parameter works with any sign-in method. For example, if youraccount is in Azure China 21Vianet, use the following command:
Connect-AzAccount -Environment AzureChinaCloud
You can get a list of available national cloud environments by running the following command:
Get-AzEnvironment | Select-Object -Property Name
See also
- Connect-AzAccount
- Set-AzContext
- Select-AzContext
- Update-AzConfig