Skip to content
Latchkey

az login: Service Principals, OIDC & CI Errors

Authenticate the Azure CLI - interactively, or with a service principal in CI.

az login signs the Azure CLI in to an Azure tenant. Interactively it opens a browser; in CI you authenticate non-interactively with a service principal or, preferably, OIDC federated credentials.

What it does

az login obtains tokens for your Azure identity and caches them. The default is an interactive browser/device-code flow. For automation, --service-principal with a client ID/secret (or certificate) authenticates a registered app, and --federated-token enables keyless OIDC login from GitHub Actions.

Common usage

Terminal
# Interactive login (local)
az login

# Service principal with a secret (CI)
az login --service-principal \
  --username "$AZURE_CLIENT_ID" \
  --password "$AZURE_CLIENT_SECRET" \
  --tenant "$AZURE_TENANT_ID"

# Device code on a headless machine
az login --use-device-code

Common error in CI: "az login" opens no browser / AADSTS invalid client secret

On a headless runner, a bare az login hangs trying to open a browser, and service-principal logins fail with "AADSTS7000215: Invalid client secret provided" (expired/wrong secret) or "AADSTS700016: application not found in tenant" (wrong tenant/client ID). Fix: never use interactive az login in CI - use --service-principal with the correct tenant, or the azure/login action with OIDC (enable-AzPSSession/client-id+tenant-id+subscription-id, no secret). Rotate expired secrets, or move to OIDC federated credentials to avoid secrets entirely.

Key options

OptionPurpose
--service-principalAuthenticate as an app (CI)
--username / --passwordSP client ID and secret/cert
--tenantAzure AD tenant ID
--federated-tokenOIDC federated credential (keyless)
--use-device-codeDevice-code flow for headless

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →