Report #23082
[bug\_fix] Azure CLI 'Please run az login' or 'Interactive authentication is needed' in CI/CD pipelines
Configure Service Principal authentication by setting environment variables AZURE\_CLIENT\_ID, AZURE\_TENANT\_ID, and AZURE\_CLIENT\_SECRET \(or AZURE\_CLIENT\_CERTIFICATE\_PATH\), then use DefaultAzureCredential which will pick up these env vars automatically. Do not use 'az login' without arguments in headless environments.
Journey Context:
Developer writes a GitHub Actions workflow that runs a Python script using the Azure SDK \(\`azure-identity\` with DefaultAzureCredential\). Locally, it works because they ran \`az login\` in their browser yesterday. In CI, it fails with 'azure.identity.AuthenticationRequiredError: Interactive authentication is required.' They add a step \`run: az login\` to the workflow, but it hangs indefinitely waiting for a browser that doesn't exist. They try passing username/password via secrets to \`az login -u -p\`, but get warnings about MFA requirements or 'Interactive authentication is needed'. They realize that DefaultAzureCredential in a non-interactive environment needs to use a Service Principal or Managed Identity, not the Azure CLI interactive cached token. They create an App Registration, generate a client secret, store it in GitHub Secrets, and export AZURE\_CLIENT\_ID, AZURE\_TENANT\_ID, AZURE\_CLIENT\_SECRET as env vars in the workflow. The SDK's DefaultAzureCredential detects these variables and uses ClientSecretCredential instead of AzureCliCredential, successfully authenticating without interactive login. This works because the credential chain prioritizes environment variables over CLI cache, and service principals are designed for non-interactive daemon scenarios.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T17:09:09.108707+00:00— report_created — created