Authenticating using the Azure CLI

Terraform supports a number of different methods for authenticating to Azure:


We recommend using either a Service Principal or Managed Identity when running Terraform non-interactively (such as when running Terraform in a CI server) - and authenticating using the Azure CLI when running Terraform locally.

Important Notes about Authenticating using the Azure CLI


Logging into the Azure CLI


Firstly, login to the Azure CLI using a User, Service Principal or Managed Identity.

User Account:

az login --allow-no-subscriptions

Service Principal with a Secret:

az login --service-principal \
         --username 00000000-0000-0000-0000-000000000000 \
         --password "MyCl1eNtSeCr3t" \
         --tenant 10000000-2000-3000-4000-500000000000 \
         --allow-no-subscriptions

Service Principal with a Certificate:

az login --service-principal \
         --username 00000000-0000-0000-0000-000000000000 \
         --password /path/to/certificate \
         --tenant 10000000-2000-3000-4000-500000000000 \
         --allow-no-subscriptions

Service Principal with Open ID Connect (for use in CI / CD):

az login --service-principal \
         --username 00000000-0000-0000-0000-000000000000 \
         --tenant 10000000-2000-3000-4000-500000000000 \
         --allow-no-subscriptions

Managed Identity:

az login --identity --allow-no-subscriptions

or

az login --identity \
         --username 00000000-0000-0000-0000-000000000000 \
         --allow-no-subscriptions

The --allow-no-subscriptions argument enables access to tenants that have no linked subscriptions, in addition to tenants that do.


Once logged in - it's possible to list the Subscriptions and Tenants associated with the account via:

$ az account list -o table --all --query "[].{TenantID: tenantId, Subscription: name, Default: isDefault}"

The output (similar to below) will display one or more Tenants and/or Subscriptions.

TenantID                              Subscription                         Default
------------------------------------  -----------------------------------  ---------
00000000-0000-1111-1111-111111111111  N/A(tenant level account)            False
00000000-0000-2222-2222-222222222222  N/A(tenant level account)            False
00000000-0000-1111-1111-111111111111  My Subscription                      True
00000000-0000-1111-1111-111111111111  My Other Subscription                False

Each entry shown is referred to as an Azure CLI account, which represents either a subscription with its linked tenant, or a tenant without any accessible subscriptions (Azure CLI does not show tenant names or domains). The provider will select the tenant ID from your default Azure CLI account. If you have more than one tenant listed in the output of az account list, for example if you are a guest user in other tenants, you can specify the tenant to use.

# sh
export ARM_TENANT_ID=00000000-0000-2222-2222-222222222222
# PowerShell
$env:ARM_TENANT_ID = 00000000-0000-2222-2222-222222222222

You can also configure the tenant ID from within the provider block.

provider "azuread" {
  tenant_id = "00000000-0000-2222-2222-222222222222"
}

Alternatively, you can configure the Azure CLI to default to the tenant you are managing with Terraform.

$ az login --allow-no-subscriptions --tenant "TENANT_ID_OR_DOMAIN"



Configuring Azure CLI authentication in Terraform

No specific configuration is required for the provider to use Azure CLI authentication. If you're looking to use Terraform across Tenants - it's possible to do this by configuring the tenant_id field in the Provider block, as shown below:

provider "azuread" {
  tenant_id = "00000000-0000-1111-1111-111111111111"
}

More information on the fields supported in the Provider block can be found here.

At this point running either terraform plan or terraform apply should allow Terraform to run using the Azure CLI to authenticate.

Disabling Azure CLI authentication

For compatibility reasons and to ensure a positive user experience when running Terraform interactively, Azure CLI authentication is enabled by default. It's possible to disable authentication using Azure CLI, which you may wish to do in automated environments such as CI/CD pipelines or when scripting operations with Terraform.

To do so, add the use_cli configuration property in the Provider block.

provider "azuread" {
  use_cli = false
}

Alternatively, you can set the ARM_USE_CLI environment variable.

# sh
export ARM_USE_CLI=false

# PowerShell
$env:ARM_USE_CLI = false