Authorize access for AzCopy with a user identity

User identity authentication provides a straightforward way to authorize AzCopy operations by using your personal Microsoft Entra ID credentials. This authentication method is ideal for interactive scenarios where you manually run AzCopy commands or work in development environments.

This article shows you how to authenticate AzCopy by using your user identity with environment variables, the interactive AzCopy sign-in command, or by leveraging existing Azure CLI or Azure PowerShell sessions.

For other ways to authorize access to AzCopy, see Authorize AzCopy.

Verify role assignments

Ensure your user identity has the required Azure role for your intended operations:

• For download operations, use Storage Blob Data Reader (Blob Storage) or Storage File Data Privileged Reader (Azure Files).

• For upload operations, use Storage Blob Data Contributor or Storage Blob Data Owner (Blob Storage) or Storage File Data Privileged Contributor (Azure Files).

For role assignment instructions, see Assign an Azure role for access to blob data (Blob Storage) or Choose how to authorize access to file data in the Azure portal (Azure Files).

If you're transferring blobs in an account that has a hierarchical namespace, you don't need to assign these roles to your security principal if you add your security principal to the access control list (ACL) of the target container or directory. In the ACL, your security principal needs write permission on the target directory and execute permission on the container and each parent directory. To learn more, see Access control model in Azure Data Lake Storage.

Authorize by using environment variables

To authorize access, set in-memory environment variables, and then run any AzCopy command. AzCopy retrieves the authentication token required to complete the operation. After the operation completes, the token is removed from memory. AzCopy retrieves the OAuth token by using the credentials that you provide.

After you verify that your user identity has the necessary authorization, enter the following command, and then press ENTER.

export AZCOPY_AUTO_LOGIN_TYPE=DEVICE

$Env:AZCOPY_AUTO_LOGIN_TYPE="DEVICE"

Then, run any AzCopy command (for example: azcopy list https://contoso.blob.core.windows.net).

This command returns an authentication code and the URL of a website. Open the website, provide the code, and then select the Next button.

A sign-in window appears. In that window, sign in to your Azure account by using your Azure account credentials. After you successfully sign in, the operation completes.

Authorize with the AzCopy login command

Instead of using in-memory variables, authorize access by using the azcopy login command.

The azcopy login command gets an OAuth token and then puts that token into a secret store on your system. If your operating system doesn't have a secret store, such as a Linux keyring, the azcopy login command doesn't work because there's nowhere to place the token.

After you verify that your user identity has the necessary authorization level, open a command prompt, type the following command, and then press the ENTER key.

azcopy login

If you receive an error, try including the tenant ID of the organization to which the storage account belongs.

azcopy login --tenant-id=<tenant-id>

Replace the <tenant-id> placeholder with the tenant ID of the organization to which the storage account belongs. To find the tenant ID, select Tenant properties > Tenant ID in the Azure portal.

This command returns an authentication code and the URL of a website. Open the website, provide the code, and then select the Next button.

A sign-in window appears. In that window, sign in to your Azure account by using your Azure account credentials. After you successfully sign in, you can close the browser window and begin using AzCopy.

Authorize by using Azure CLI

If you sign in by using Azure CLI, Azure CLI gets an OAuth token that AzCopy can use to authorize operations.

To enable AzCopy to use that token, type the following command, and then press the ENTER key.

export AZCOPY_AUTO_LOGIN_TYPE=AZCLI
export AZCOPY_TENANT_ID=<tenant-id>

$Env:AZCOPY_AUTO_LOGIN_TYPE="AZCLI"
$Env:AZCOPY_TENANT_ID="<tenant-id>"

For more information about how to sign in by using the Azure CLI, see Sign into Azure interactively using the Azure CLI.

Authorize by using Azure PowerShell

If you sign in by using Azure PowerShell, Azure PowerShell gets an OAuth token that AzCopy can use to authorize operations.

To enable AzCopy to use that token, type the following command, and then press the ENTER key.

$Env:AZCOPY_AUTO_LOGIN_TYPE="PSCRED"
$Env:AZCOPY_TENANT_ID=<tenant-id>

For more information about how to sign in by using Azure PowerShell, see Sign in to Azure PowerShell interactively.

Next steps

• For more information about AzCopy, see Get started with AzCopy.

• If you have questions, problems, or general feedback, submit them on GitHub.