MSAL-based Azure CLI

Starting with version 2.30.0, Azure CLI uses Microsoft Authentication Library (MSAL) as its underlying authentication library. MSAL uses the Azure Active Directory v2.0 authentication flow to provide enhanced functionality and increase security for token cache.

accessTokens.json deprecation

Previous versions of Azure CLI saved Azure AD Authentication Library (ADAL) tokens and service principal entries to ~/.azure/accessToken.json. The latest versions of the Azure CLI use MSAL and no longer generate accessTokens.json. Existing workflows depending on accessTokens.json no longer work.

The MSAL token cache and service principal entries are saved as encrypted files on Windows, and plaintext files on Linux and macOS.

Alternatives to consider

Alternatives to consider for stability:

Calling az account get-access-token

You can manually call az account get-access-token in a terminal or use a subprocess to call it from another programming language. By default, the returned access token is for Azure Resource Manager (ARM) and the default subscription/tenant shown in az account show.

# get the active subscription
az account show --output table

# get access token for the active subscription
az account get-access-token

# get access token for a specific subscription
az account get-access-token --subscription "<subscription ID or name>"

To learn more about access tokens, see Sign in with Azure CLI.

Using AzureCliCredential

AzureCliCredential is a credential type in all existing language SDKs. It uses a subprocess to call az account get-access-token to retrieve an access token for the current logged-in account.

See also

• MSAL
  • Overview of the Microsoft Authentication Library (MSAL)
  • Migrate applications to the Microsoft Authentication Library (MSAL)
• Python
  • AzureCliCredential Class in Python
• .NET
  • AzureCliCredential Class in .NET
• Java
  • AzureCliCredential Class in Java