az login: Service Principals, OIDC & CI Errors
Authenticate the Azure CLI - interactively, or with a service principal in CI.
az login signs the Azure CLI in to an Azure tenant. Interactively it opens a browser; in CI you authenticate non-interactively with a service principal or, preferably, OIDC federated credentials.
What it does
az login obtains tokens for your Azure identity and caches them. The default is an interactive browser/device-code flow. For automation, --service-principal with a client ID/secret (or certificate) authenticates a registered app, and --federated-token enables keyless OIDC login from GitHub Actions.
Common usage
# Interactive login (local)
az login
# Service principal with a secret (CI)
az login --service-principal \
--username "$AZURE_CLIENT_ID" \
--password "$AZURE_CLIENT_SECRET" \
--tenant "$AZURE_TENANT_ID"
# Device code on a headless machine
az login --use-device-codeCommon error in CI: "az login" opens no browser / AADSTS invalid client secret
On a headless runner, a bare az login hangs trying to open a browser, and service-principal logins fail with "AADSTS7000215: Invalid client secret provided" (expired/wrong secret) or "AADSTS700016: application not found in tenant" (wrong tenant/client ID). Fix: never use interactive az login in CI - use --service-principal with the correct tenant, or the azure/login action with OIDC (enable-AzPSSession/client-id+tenant-id+subscription-id, no secret). Rotate expired secrets, or move to OIDC federated credentials to avoid secrets entirely.
Key options
| Option | Purpose |
|---|---|
| --service-principal | Authenticate as an app (CI) |
| --username / --password | SP client ID and secret/cert |
| --tenant | Azure AD tenant ID |
| --federated-token | OIDC federated credential (keyless) |
| --use-device-code | Device-code flow for headless |