AzCopy support for Entra ID authentication

AzCopy support for Entra ID authentication using Azure CLI or PowerShell authentication tokens

Using AzCopy version 10.22.0 or newer you can reuse your existing Entra ID authentication tokens from Azure PowerShell and Azure CLI for authentication for blob transfers to and from your storage accounts. This will reduce the number of times you have to enter your credentials when using Azure PowerShell and Azure CLI in the same session as you login to either Azure PowerShell or Azure CLI once and you do not need to enter a separate set of credentials in AzCopy. By the end of this article, you will be able to authenticate AzCopy actions seamlessly on Linux or Windows by reusing an existing OAuth token.

Environment variables

To enable this new feature, you must set the AZCOPY_AUTO_LOGIN_TYPE environment variable to the appropriate value. Besides the existing authentication methods - using a Service Principal or Managed Service Identity - two new options are now available. AZCLI for Azure CLI and PSCRED for Azure PowerShell. If you want to learn more on AzCopy supported environment variables you can easily get overview using the following command: azcopy env

To change the login type to either reusing OAuth tokens from Azure CLI or Azure PowerShell use one of the following commands for each operating system:

Linux and macOS environment variables

export AZCOPY_AUTO_LOGIN_TYPE=AZCLI export AZCOPY_AUTO_LOGIN_TYPE=PSCRED

Windows environment variables

$Env:AZCOPY_AUTO_LOGIN_TYPE="AZCLI" $Env:AZCOPY_AUTO_LOGIN_TYPE="PSCRED"

Scenarios

The prerequisite for all samples is that you own an active Azure Subscription and already deployed a storage account with a container. Write Permissions on the data plane needs be granted for your Entra ID account (see Assign an Azure role for access to blob data).

Note: If you don’t own an Azure Subscription you can create your Azure Free Account today. If you are facing troubles creating a storage account or granting the needed permissions you can read the Optional section at the end of this article.

Please make sure you have the newest version (>=10.22.0) of the AzCopy installed on your local machine. You can download it manually or use the provided CLI command for each scenario either using Linux or Windows.

Flow diagram

The following diagram shows the flow diagram of each scenario in detail.

Scenario 1: Using Linux on Windows Subsystem for Linux (WSL)

Using WSL and Ubuntu 22.04 LTS you can download the newest version of AzCopy using the following bash one-liner.

wget -cq https://aka.ms/downloadazcopy-v10-linux -O - | tar xz --strip-components=1

Optional: Verify your login type (AZCOPY_AUTO_LOGIN_TYPE) is set to use the Azure CLI

./azcopy env INFO: Name: AZCOPY_AUTO_LOGIN_TYPE Current Value: AZCLI

Now we can try to upload a file, in this case the AzCopy binary itself, to the storage account. Please replace "<storage-account>" and "<container>" with their respective values.

./azcopy copy azcopy https://<storage-account>.blob.core.windows.net/<container>/azcopy

NOTE: This command will fail if you don’t have Contributor or at least a sufficient RBAC role for write access on the storage account. Please make sure you are already authenticated using "az login" and the container you try to upload to exists.

Scenario 2: Using Windows 11

Using Windows 11 you can download the newest version of AzCopy using the following PowerShell commands.

Invoke-WebRequest -Uri 'https://aka.ms/downloadazcopy-v10-windows' -OutFile 'azcopyv10.zip' Expand-archive -Path '.\azcopyv10.zip' -Destinationpath '.\' $AzCopy = (Get-ChildItem -path '.\' -Recurse -File -Filter 'azcopy.exe').FullName

Optional: Verify your login type (AZCOPY_AUTO_LOGIN_TYPE) is set to use Azure PowerShell

& $AzCopy env INFO: Name: AZCOPY_AUTO_LOGIN_TYPE Current Value: PSCRED

Now we can try to upload a file, in this case the AzCopy binary itself, to the storage account. Please replace "<storage-account>" and "<container>" with their respective values.

& $AzCopy copy $AzCopy https://<storage-account>.blob.core.windows.net/<container>/azcopy.exe

NOTE: This command will fail if you don’t have Contributor or at least a sufficient RBAC role for write access on the storage account. Please make sure you are already authenticated using "Connect-AzAccount" and the container you try to upload to exists.

Optional: How to create a demo storage account

To create and configure a storage account on Azure you can use the following Azure CLI commands. There are a couple of other options available outlined in the official documentation.

First of all, we need to create a resource group. You can change the variables for the name or location to fit your needs. For the sake of the sample, it’s fine to start with the following command and options:

az group create --name MyResourceGroup --location westus

Next, create a storage account and a container using the resource group you just created. As a storage account name is globally unique you must change the name "<storage-account>" in the following command. Also change the name of the "<container>" variable.

az storage account create --name <storage-account> --resource-group MyResourceGroup --location westus --sku Standard_LRS az storage container create -n <container> --account-name <storage-account>

Last we need to grant our Entry ID account write permission on the storage accounts data plane, replacing "<email>", "<subscription>", "<resource-group>", "<storage-account>" and "<container>" with their respective values.

az role assignment create \ --role "Storage Blob Data Contributor" \ --assignee <email> \ --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>"

References

Learn more