- Reference
- Module:
- Az.Accounts
Connect to Azure with an authenticated account for use with cmdlets from the Az PowerShell modules.
Syntax
Connect-AzAccount [-Environment <String>] [-Tenant <String>] [-AccountId <String>] [-Subscription <String>] [-AuthScope <String>] [-ContextName <String>] [-SkipContextPopulation] [-MaxContextPopulation <Int32>] [-UseDeviceAuthentication] [-Force] [-Scope <ContextModificationScope>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>] Connect-AzAccount [-Environment <String>] -Credential <PSCredential> [-ServicePrincipal] -Tenant <String> [-Subscription <String>] [-AuthScope <String>] [-ContextName <String>] [-SkipContextPopulation] [-MaxContextPopulation <Int32>] [-Force] [-Scope <ContextModificationScope>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>] Connect-AzAccount [-Environment <String>] -Credential <PSCredential> [-Tenant <String>] [-Subscription <String>] [-AuthScope <String>] [-ContextName <String>] [-SkipContextPopulation] [-MaxContextPopulation <Int32>] [-Force] [-Scope <ContextModificationScope>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>] Connect-AzAccount [-Environment <String>] -CertificateThumbprint <String> -ApplicationId <String> [-ServicePrincipal] -Tenant <String> [-Subscription <String>] [-AuthScope <String>] [-ContextName <String>] [-SkipContextPopulation] [-MaxContextPopulation <Int32>] [-Force] [-SendCertificateChain] [-Scope <ContextModificationScope>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>] Connect-AzAccount [-Environment <String>] -ApplicationId <String> [-ServicePrincipal] -Tenant <String> [-Subscription <String>] [-ContextName <String>] [-SkipContextPopulation] [-MaxContextPopulation <Int32>] [-Force] -FederatedToken <String> [-Scope <ContextModificationScope>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>] Connect-AzAccount [-Environment <String>] -ApplicationId <String> [-ServicePrincipal] -Tenant <String> [-Subscription <String>] [-ContextName <String>] [-SkipContextPopulation] [-MaxContextPopulation <Int32>] [-Force] [-SendCertificateChain] -CertificatePath <String> [-CertificatePassword <SecureString>] [-Scope <ContextModificationScope>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>] Connect-AzAccount [-Environment <String>] [-Tenant <String>] -AccessToken <String> [-GraphAccessToken <String>] [-MicrosoftGraphAccessToken <String>] [-KeyVaultAccessToken <String>] -AccountId <String> [-Subscription <String>] [-ContextName <String>] [-SkipValidation] [-SkipContextPopulation] [-MaxContextPopulation <Int32>] [-Force] [-Scope <ContextModificationScope>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>] Connect-AzAccount [-Environment <String>] [-Tenant <String>] [-AccountId <String>] [-Identity] [-Subscription <String>] [-AuthScope <String>] [-ContextName <String>] [-SkipContextPopulation] [-MaxContextPopulation <Int32>] [-Force] [-Scope <ContextModificationScope>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>] Description
The Connect-AzAccount cmdlet connects to Azure with an authenticated account for use with cmdletsfrom the Az PowerShell modules. You can use this authenticated account only with Azure ResourceManager requests. To add an authenticated account for use with Service Management, use theAdd-AzureAccount cmdlet from the Azure PowerShell module. If no context is found for the currentuser, the user's context list is populated with a context for each of their first 25 subscriptions.The list of contexts created for the user can be found by running Get-AzContext -ListAvailable. Toskip this context population, specify the SkipContextPopulation switch parameter. Afterexecuting this cmdlet, you can disconnect from an Azure account using Disconnect-AzAccount.
Examples
Example 1: Connect to an Azure account
This example connects to an Azure account. You must provide a Microsoft account or organizational IDcredentials. If multi-factor authentication is enabled for your credentials, you must log in usingthe interactive option or use service principal authentication.
Connect-AzAccountAccount SubscriptionName TenantId Environment------- ---------------- -------- -----------azureuser@contoso.com Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloudExample 2: Connect to Azure using organizational ID credentials
This scenario works only when the user does not have multi-factor auth turned on. The first commandprompts for user credentials and stores them in the $Credential variable. The second commandconnects to an Azure account using the credentials stored in $Credential. This accountauthenticates with Azure using organizational ID credentials.
$Credential = Get-CredentialConnect-AzAccount -Credential $CredentialAccount SubscriptionName TenantId Environment------- ---------------- -------- -----------azureuser@contoso.com Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloudExample 3: Connect to Azure using a service principal account
The first command stores the service principal credentials in the $Credential variable. The secondcommand connects the specified Azure tenant using the service principal credentials stored in the$Credential variable. The ServicePrincipal switch parameter indicates that the accountauthenticates as a service principal.
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecuredPasswordConnect-AzAccount -ServicePrincipal -TenantId $TenantId -Credential $CredentialAccount SubscriptionName TenantId Environment------- ---------------- -------- -----------xxxx-xxxx-xxxx-xxxx Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloudExample 4: Use an interactive login to connect to a specific tenant and subscription
This example connects to an Azure account with the specified tenant and subscription.
Connect-AzAccount -Tenant 'xxxx-xxxx-xxxx-xxxx' -SubscriptionId 'yyyy-yyyy-yyyy-yyyy'Account SubscriptionName TenantId Environment------- ---------------- -------- -----------azureuser@contoso.com Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloudExample 5: Connect using a Managed Service Identity
This example connects using the Managed Service Identity (MSI) of the host environment. For example,you sign into Azure from a virtual machine that has an assigned MSI.
Connect-AzAccount -IdentitySet-AzContext -Subscription Subscription1Account SubscriptionName TenantId Environment------- ---------------- -------- -----------MSI@50342 Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloudExample 6: Connect using Managed Service Identity login and ClientId
This example connects using the Managed Service Identity of myUserAssignedIdentity. It adds theuser assigned identity to the virtual machine, then connects using the ClientId of the user assignedidentity. For more information, seeConfigure managed identities for Azure resources on an Azure VM.
$identity = Get-AzUserAssignedIdentity -ResourceGroupName 'myResourceGroup' -Name 'myUserAssignedIdentity'Get-AzVM -ResourceGroupName contoso -Name testvm | Update-AzVM -IdentityType UserAssigned -IdentityId $identity.IdConnect-AzAccount -Identity -AccountId $identity.ClientId # Run on the virtual machineAccount SubscriptionName TenantId Environment------- ---------------- -------- -----------yyyy-yyyy-yyyy-yyyy Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloudExample 7: Connect using certificates
This example connects to an Azure account using certificate-based service principal authentication.The service principal used for authentication must be created with the specified certificate. Formore information on creating a self-signed certificates and assigning them permissions, seeUse Azure PowerShell to create a service principal with a certificate
$Thumbprint = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'$ApplicationId = '00000000-0000-0000-0000-00000000'Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ApplicationId -Tenant $TenantId -ServicePrincipalAccount SubscriptionName TenantId Environment------- ---------------- -------- -----------xxxxxxxx-xxxx-xxxx-xxxxxxxxx Subscription1 yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy AzureCloudAccount : xxxxxxxx-xxxx-xxxx-xxxxxxxxSubscriptionName : MyTestSubscriptionSubscriptionId : zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzTenantId : yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyEnvironment : AzureCloudExample 8: Connect with AuthScope
AuthScope is used to support scenario that data plane resources have enhanced authentication than ARM resources, e.g. storage needs MFA but ARM does not.Once AuthScope is specified, e.g. Storage, Connect-AzAccount will first login with storage scope https://storage.azure.com/, then silently require token for ARM.
Connect-AzAccount -AuthScope StorageAccount SubscriptionName TenantId Environment------- ---------------- -------- -----------yyyy-yyyy-yyyy-yyyy Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloudExample 9: Connect using certificate file
This example connects to an Azure account using certificate-based service principal authentication.The certificate file, which is specified by CertficatePath, should contains both certificate and private key as the input.
$securePassword = $plainPassword | ConvertTo-SecureString -AsPlainText -Force$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'$ApplicationId = 'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzz'Connect-AzAccount -ServicePrincipal -ApplicationId $ApplicationId -TenantId $TenantId -CertificatePath './certificatefortest.pfx' -CertificatePassword $securePasswordAccount SubscriptionName TenantId Environment------- ---------------- -------- -----------xxxxxxxx-xxxx-xxxx-xxxxxxxx Subscription1 yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy AzureCloudExample 10: Connect interactively using WAM
This example demonstrates how to enable the config for WAM (Web Account Manager) and use it to connect to Azure.
Update-AzConfig -EnableLoginByWam $trueConnect-AzAccountAccount SubscriptionName TenantId Environment------- ---------------- -------- -----------xxxxxxxx-xxxx-xxxx-xxxxxxxx Subscription1 yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy AzureCloudParameters
-AccessToken
Specifies an access token.
Caution
Access tokens are a type of credential. You should take the appropriate security precautions tokeep them confidential. Access tokens also timeout and may prevent long running tasks fromcompleting.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AccountId
Account Id / User Id / User Name to login with in Default (UserWithSubscriptionId) parameter set; Account ID for access token in AccessToken parameter set; Account ID for managed service inManagedService parameter set. Can be a managed service resource ID, or the associated client ID.To use the system assigned identity, leave this field blank.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ApplicationId
Application ID of the service principal.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AuthScope
Optional OAuth scope for login, supported pre-defined values: AadGraph, AnalysisServices, Attestation, Batch, DataLake, KeyVault, OperationalInsights, Storage, Synapse. It also supports resource id like https://storage.azure.com/.
| Type: | String |
| Aliases: | AuthScopeTypeName |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-CertificatePassword
The password required to access the pkcs#12 certificate file.
| Type: | SecureString |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-CertificatePath
The path of certficate file in pkcs#12 format.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-CertificateThumbprint
Certificate Hash or Thumbprint.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ContextName
Name of the default Azure context for this login. For more information about Azure contexts, seeAzure PowerShell context objects.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Credential
Specifies a PSCredential object. For more information about the PSCredential object, typeGet-Help Get-Credential. The PSCredential object provides the user ID and password fororganizational ID credentials, or the application ID and secret for service principal credentials.
| Type: | PSCredential |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
| Type: | IAzureContextContainer |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Environment
Environment containing the Azure account.
| Type: | String |
| Aliases: | EnvironmentName |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-FederatedToken
Specifies a token provided by another identity provider. The issuer and subject in this token must be first configured to be trusted by the ApplicationId.
Caution
Federated tokens are a type of credential. You should take the appropriate security precautions to keep them confidential. Federated tokens also timeout and may prevent long running tasks from completing.
| Type: | String |
| Aliases: | ClientAssertion |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Force
Overwrite the existing context with the same name without prompting.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-GraphAccessToken
AccessToken for Graph Service.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Identity
Login using a Managed Service Identity.
| Type: | SwitchParameter |
| Aliases: | MSI, ManagedService |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-KeyVaultAccessToken
AccessToken for KeyVault Service.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MaxContextPopulation
Max subscription number to populate contexts after login. Default is 25. To populate all subscriptions to contexts, set to -1.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MicrosoftGraphAccessToken
Access token to Microsoft Graph
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Scope
Determines the scope of context changes, for example, whether changes apply only to the currentprocess, or to all sessions started by this user.
| Type: | ContextModificationScope |
| Accepted values: | Process, CurrentUser |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SendCertificateChain
Specifies if the x5c claim (public key of the certificate) should be sent to the STS to achieve easy certificate rollover in Azure AD.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ServicePrincipal
Indicates that this account authenticates by providing service principal credentials.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SkipContextPopulation
Skips context population if no contexts are found.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SkipValidation
Skip validation for access token.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Subscription
Subscription Name or ID.
| Type: | String |
| Aliases: | SubscriptionName, SubscriptionId |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Tenant
Optional tenant name or ID.
Note
Due to limitations of the current API, you must use a tenant ID instead of a tenant name whenconnecting with a business-to-business (B2B) account.
| Type: | String |
| Aliases: | Domain, TenantId |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-UseDeviceAuthentication
Use device code authentication instead of a browser control.
| Type: | SwitchParameter |
| Aliases: | DeviceCode, DeviceAuth, Device |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
String
Outputs
PSAzureProfile