AzCopy support for Entra ID authentication
AzCopy support for Entra ID authentication using Azure CLI or PowerShell authentication tokens
Using AzCopy version 10.22.0 or newer you can reuse your existing Entra ID authentication tokens from Azure PowerShell and Azure CLI for authentication for blob transfers to and from your storage accounts. This will reduce the number of times you have to enter your credentials when using Azure PowerShell and Azure CLI in the same session as you login to either Azure PowerShell or Azure CLI once and you do not need to enter a separate set of credentials in AzCopy. By the end of this article, you will be able to authenticate AzCopy actions seamlessly on Linux or Windows by reusing an existing OAuth token.
Environment variables
To enable this new feature, you must set the AZCOPY_AUTO_LOGIN_TYPE environment variable to the appropriate value. Besides the existing authentication methods - using a Service Principal or Managed Service Identity - two new options are now available. AZCLI for Azure CLI and PSCRED for Azure PowerShell. If you want to learn more on AzCopy supported environment variables you can easily get overview using the following command: azcopy env
To change the login type to either reusing OAuth tokens from Azure CLI or Azure PowerShell use one of the following commands for each operating system:
Linux and macOS environment variables
Windows environment variables
Scenarios
The prerequisite for all samples is that you own an active Azure Subscription and already deployed a storage account with a container. Write Permissions on the data plane needs be granted for your Entra ID account (see Assign an Azure role for access to blob data).
Note: If you don’t own an Azure Subscription you can create your Azure Free Account today. If you are facing troubles creating a storage account or granting the needed permissions you can read the Optional section at the end of this article.
Please make sure you have the newest version (>=10.22.0) of the AzCopy installed on your local machine. You can download it manually or use the provided CLI command for each scenario either using Linux or Windows.
Flow diagram
The following diagram shows the flow diagram of each scenario in detail.
Scenario 1: Using Linux on Windows Subsystem for Linux (WSL)
Using WSL and Ubuntu 22.04 LTS you can download the newest version of AzCopy using the following bash one-liner.
Optional: Verify your login type (AZCOPY_AUTO_LOGIN_TYPE) is set to use the Azure CLI
Now we can try to upload a file, in this case the AzCopy binary itself, to the storage account. Please replace "<storage-account>" and "<container>" with their respective values.
NOTE: This command will fail if you don’t have Contributor or at least a sufficient RBAC role for write access on the storage account. Please make sure you are already authenticated using "az login" and the container you try to upload to exists.
Scenario 2: Using Windows 11
Using Windows 11 you can download the newest version of AzCopy using the following PowerShell commands.
Optional: Verify your login type (AZCOPY_AUTO_LOGIN_TYPE) is set to use Azure PowerShell
Now we can try to upload a file, in this case the AzCopy binary itself, to the storage account. Please replace "<storage-account>" and "<container>" with their respective values.
NOTE: This command will fail if you don’t have Contributor or at least a sufficient RBAC role for write access on the storage account. Please make sure you are already authenticated using "Connect-AzAccount" and the container you try to upload to exists.
Optional: How to create a demo storage account
To create and configure a storage account on Azure you can use the following Azure CLI commands. There are a couple of other options available outlined in the official documentation.
First of all, we need to create a resource group. You can change the variables for the name or location to fit your needs. For the sake of the sample, it’s fine to start with the following command and options:
Next, create a storage account and a container using the resource group you just created. As a storage account name is globally unique you must change the name "<storage-account>" in the following command. Also change the name of the "<container>" variable.
Last we need to grant our Entry ID account write permission on the storage accounts data plane, replacing "<email>", "<subscription>", "<resource-group>", "<storage-account>" and "<container>" with their respective values.
References
- Create Your Azure Free Account Today | Microsoft Azure
- Download AzCopy v10 | Microsoft Learn
- Sign into Azure from Azure PowerShell | Microsoft Learn
- Sign in with Azure CLI — Login and Authentication | Microsoft Learn
- Authorize access to blobs & files with AzCopy & Microsoft Entra ID | Microsoft Learn
- Create a storage account - Azure Storage | Microsoft Learn