How to sign in with the Azure CLI and manage associated subscriptions

Before logging in with the Azure CLI to an Azure tenant, we must see which Azure subscriptions I have associated with the current computer and user:

az account list

which, in the case of not having any association, gives an output like the following:

operatorfeitam@ubuntu2204-pc1:~$ az account list
Please run "az login" to access your accounts.
[]
operatorfeitam@ubuntu2204-pc1:~$

There are several ways to authenticate with 'azure-cli' to Azure, which can be summarized in two:

Using a web browser when it is available on the server where we want to login, in this case it is used:

az login

In this case, it informs us of the following:

operatorfeitam@ubuntu2204-pc1:~$ az login
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.

and a browser opens for us on the computer where we have executed 'az login' so that we can log in with our username and password in Azure, and when we do so we can close the browser and the console will show us:

operatorfeitam@ubuntu2204-pc1:~$ az login
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "6a292158-a1c7-4f67-99f9-435174e561b1",
    "id": "bad4e527-3ef6-4378-a599-61f803834bce",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Azure subscription 1",
    "state": "Enabled",
    "tenantId": "6a292158-a1c7-4f67-99f9-435174e561b1",
    "user": {
      "name": "jlsv@feitam.es",
      "type": "user"
    }
  }
]
operatorfeitam@ubuntu2204-pc1:~$

Not using a web browser on the server where we want to login because it is not available, in this case we use:

az login --use-device-code

In this case, it informs us of the following:

operatorfeitam@ubuntu2204-pc1:~$ az login --use-device-code
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CDQDEC4F6 to authenticate.

We open a web browser on any computer by accessing the URL that is specified, we enter the code that they give us and it will ask us to authenticate with our Azure username and password, and it will ask us to confirm that we are trying to log in to Microsoft Azure CLI. And when we confirm it, the following appears:

operatorfeitam@ubuntu2204-pc1:~$ az login --use-device-code
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CDQDEC4F6 to authenticate.
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "6a292158-a1c7-4f67-99f9-435174e561b1",
    "id": "bad4e527-3ef6-4378-a599-61f803834bce",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Azure subscription 1",
    "state": "Enabled",
    "tenantId": "6a292158-a1c7-4f67-99f9-435174e561b1",
    "user": {
      "name": "jlsv@feitam.es",
      "type": "user"
    }
  }
]
operatorfeitam@ubuntu2204-pc1:~$

If we repeat the execution of 'az account list' we can see that we are associated to a subscription called "Azure subscription 1" with 'ID' "aad4e527-3ef6-4378-a599-61f803834bce" of the 'Tenant ID' with value "7a292158-a1c7 -4f67-99f9-435174e561b1" :

operatorfeitam@ubuntu2204-pc1:~$ az account list
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "6a292158-a1c7-4f67-99f9-435174e561b1",
    "id": "bad4e527-3ef6-4378-a599-61f803834bce",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Azure subscription 1",
    "state": "Enabled",
    "tenantId": "6a292158-a1c7-4f67-99f9-435174e561b1",
    "user": {
      "name": "jlsv@feitam.es",
      "type": "user"
    }
  }
]
operatorfeitam@ubuntu2204-pc1:~$

We must note that this subscription is in the "Enabled" state, and that it is also our associated subscription by default (it is normal since we only have a single subscription right now) because whatever we do will be executed in this subscription.

Obviously we can be associated with other subscriptions, and with other tenants, and in this case we must always check which is our 'default' associated subscription, since we could launch with a command with 'az' (Azure CLI) or with, for example, terraform (allows specify the tenant and subscription id to use, but if not done it runs on the default subscription) and would run on the associated 'default' subscription if nothing specific is specified in that command.

An example of having multiple associated Azure subscriptions is as follows:

operatorfeitam@ubuntu2204-pc1:~$ az account list
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "6a292158-a1c7-4f67-99f9-435174e561b1",
    "id": "bad4e527-3ef6-4378-a599-61f803834bce",
    "isDefault": false,
    "managedByTenants": [],
    "name": "Azure subscription 1",
    "state": "Enabled",
    "tenantId": "6a292158-a1c7-4f67-99f9-435174e561b1",
    "user": {
      "name": "jlsv@feitam.es",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "da060e56-5e46-445d-8b74-5fb187bd2166",
    "id": "cebc4372-083a-4bb3-8097-46e86ef3c417",
    "isDefault": true,
    "managedByTenants": [
      {
        "tenantId": "2f4a9838-26b7-44ee-be60-ccc1fdec5955"
      }
    ],
    "name": "Enterprise A - Area A",
    "state": "Enabled",
    "tenantId": "da060e56-5e46-445d-8b74-5fb187bd2166",
    "user": {
      "name": "jlsv-external@feitam.es",
      "type": "user"
    }
  },
  ...
  ...
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "da060e56-5e46-445d-8b74-5fb187bd2166",
    "id": "181f645c-1e2e-4015-b7b8-d9791fc94cd4",
    "isDefault": false,
    "managedByTenants": [],
    "name": "Enterprise A - Area B",
    "state": "Enabled",
    "tenantId": "da060e56-5e46-445d-8b74-5fb187bd2166",
    "user": {
      "name": "jlsv-external@feitam.es",
      "type": "user"
    }
  }
]
operatorfeitam@ubuntu2204-pc1:~$

And this can also be seen in table format with:

az account list --output table

Which shows it like this:

operatorfeitam@ubuntu2204-pc1:~$ az account list --output table
Name                     CloudName    SubscriptionId                        TenantId                              State    IsDefault
-----------------------  -----------  ------------------------------------  ------------------------------------  -------  -----------
Azure subscription 1     AzureCloud   bad4e527-3ef6-4378-a599-61f803834bce  6a292158-a1c7-4f67-99f9-435174e561b1  Enabled  False
Enterprise A - Area A    AzureCloud   cebc4372-083a-4bb3-8097-46e86ef3c417  da060e56-5e46-475d-8b74-5fb187bd2166  Enabled  True
...
...
Enterprise A - Area B    AzureCloud   181f645c-1e2e-4015-b7b8-d9791fc94cd4  da060e56-5e46-475d-8b74-5fb187bd2166  Enabled  False
operatorfeitam@ubuntu2204-pc1:~$

And to change the 'default' subscription we must execute the following:

az account set --subscription <subscription-id>

To clean all the associations we have to Azure subscriptions we must execute (this will force us to login again in the future):

az config set core.allow_broker=true
az account clear

How to sign in with the Azure CLI and manage associated subscriptions

terraform - first steps: creating a linux virtual server en Azure

How to sudo a user in Ubuntu... and how to remove sudo from the user