Skip to main content
The Microsoft 365 provider can leverage the Azure CLI (az) authentication to simplify the authentication experience. This method uses the existing authenticated session from the Azure CLI, making it ideal for local development and service account scenarios.

How It Works

This authentication method leverages the Azure CLI authentication, which stores tokens in a local credential cache:
1

Check Authentication

The provider checks if the Azure CLI is installed and authenticated
2

Use Existing Credential

It uses the existing credential to acquire tokens for Microsoft Graph
3

No App Registration

No additional app registrations or secrets are required

Benefits

  • Eliminates the need to create and manage separate app registrations
  • Removes the need to handle sensitive client secrets or certificates
  • Uses the same authentication context as your other Azure CLI operations
  • Supports automatic token renewal when tokens expire

Prerequisites

  • Azure CLI (az) installed
  • Successfully authenticated with az login
  • A Microsoft Entra ID tenant

Use Cases

Local Development

Quick setup for development environments

Service Account

Run Terraform with a dedicated service account logged into Azure CLI

Prototyping

Rapidly test Terraform configurations without overhead

Cross-service Dev

Maintain consistent auth when working with Azure and M365 resources

Setup

Install Azure CLI

Follow the Azure CLI installation guide for your operating system. Verify installation: 
az version

Authenticate

# Basic authentication to your default tenant
az login

# Or specify a tenant ID
az login --tenant 00000000-0000-0000-0000-000000000000
No additional app registration setup is required for this authentication method.

Provider Configuration

VS Code Integration

Create a .vscode/tasks.json file to streamline your workflow: 
{
  "version": "2.0.0",
  "tasks": [
    {
      "label": "Terraform Init and Apply",
      "type": "shell",
      "command": "terraform init && terraform apply -auto-approve",
      "options": {
        "env": {
          "M365_AUTH_METHOD": "azure_cli",
          "M365_TENANT_ID": "your-tenant-id-here"
        }
      },
      "problemMatcher": []
    },
    {
      "label": "Terraform Plan",
      "type": "shell",
      "command": "terraform plan",
      "options": {
        "env": {
          "M365_AUTH_METHOD": "azure_cli",
          "M365_TENANT_ID": "your-tenant-id-here"
        }
      },
      "problemMatcher": []
    }
  ]
}
Access tasks in VS Code:
  1. Press Ctrl+Shift+P (or Cmd+Shift+P on macOS)
  2. Type “Tasks: Run Task”
  3. Select your desired task

Switching Between Auth Methods

Create a shell script to easily switch profiles: 
#!/bin/bash
# switch-auth-method.sh

case "$1" in
  dev)
    export M365_AUTH_METHOD="azure_cli"
    echo "Switched to developer mode using Azure CLI authentication"
    ;;
  prod)
    export M365_AUTH_METHOD="client_secret"
    export M365_CLIENT_ID="00000000-0000-0000-0000-000000000000"
    export M365_CLIENT_SECRET="$(cat ~/.secrets/m365_client_secret)"
    echo "Switched to production mode using service principal authentication"
    ;;
  *)
    echo "Usage: $0 {dev|prod}"
    exit 1
    ;;
esac

Limitations

Important Limitations
  • Requires Azure CLI to be installed and available in PATH
  • Uses the permissions of the currently logged-in user or service principal
  • Sessions might expire, requiring re-authentication
  • Less control over token lifetimes and authentication parameters
  • Not recommended for production deployment scenarios

Security Considerations

  • Azure CLI stores tokens in a local credential cache, which is encrypted
  • Actions performed will be attributable to the logged-in identity
  • Ensure your user account follows the principle of least privilege
  • For shared or public computers, be cautious of leaving authenticated sessions active
  • Log out when finished: az logout
  • For production environments, use dedicated service principal authentication

Troubleshooting

Error: Failed to create credential strategy: azure cli not found in PATHEnsure that az is installed and available in your system PATH. Verify with:
az version
Error: Failed to get token: azure cli not authenticatedRun az login to authenticate before using Terraform.
Error: Failed to get token: tenant ID mismatchIf you work with multiple tenants, authenticate to the specific tenant:
az login --tenant <tenant-id>
Error: Insufficient privileges to complete the operationThe authenticated identity must have the necessary permissions for Microsoft Graph operations. Check your user permissions in the Microsoft Entra admin center.
Enable debug mode for detailed logging:
provider "microsoft365" {
  auth_method = "azure_cli"
  debug_mode  = true
}

Build docs developers (and LLMs) love

Get started for freeTalk to us