| title | Authorize access for AzCopy with a managed identity |
|---|---|
| description | You can provide authorization credentials for AzCopy operations by a managed identity |
| author | normesta |
| ms.service | azure-storage |
| ms.topic | how-to |
| ms.date | 01/08/2026 |
| ms.author | normesta |
| ms.subservice | storage-common-concepts |
| ms.custom | devx-track-azurecli, devx-track-azurepowershell |
Managed identities provide a secure and convenient way to authorize AzCopy operations without storing credentials or managing SAS tokens. This authentication method is particularly valuable for automated scripts, CI/CD pipelines, and applications running on Azure Virtual Machines or other Azure services.
This article shows you how to configure AzCopy to use either system-assigned or user-assigned managed identities. You can authorize access through environment variables, the AzCopy login command, or by leveraging existing Azure CLI or Azure PowerShell sessions.
For more information about other ways to authorize access to AzCopy, see Authorize AzCopy.
Ensure your managed identity has the required Azure role for your intended operations:
-
For download operations, use Storage Blob Data Reader (Blob Storage) or Storage File Data Privileged Reader (Azure Files).
-
For upload operations, use Storage Blob Data Contributor or Storage Blob Data Owner (Blob Storage) or Storage File Data Privileged Contributor (Azure Files).
For role assignment instructions, see Assign an Azure role for access to blob data (Blob Storage) or Choose how to authorize access to file data in the Azure portal (Azure Files).
Note
Role assignments can take up to five minutes to propagate.
If you're transferring blobs in an account that has a hierarchical namespace, you don't need to assign one of these roles to your security principal if you add your security principal to the access control list (ACL) of the target container or directory. In the ACL, your security principal needs write permission on the target directory, and execute permission on container and each parent directory. To learn more, see Access control model in Azure Data Lake Storage.
To authorize access, set in-memory environment variables. Then run any AzCopy command. AzCopy retrieves the authentication token required to complete the operation. After the operation completes, the token disappears from memory.
AzCopy retrieves the OAuth token by using the credentials that you provide. Alternatively, AzCopy can use the OAuth token of an active Azure CLI or Azure PowerShell session.
This option is great if you plan to use AzCopy inside of a script that runs without user interaction, and the script runs from an Azure Virtual Machine (VM). When you use this option, you don't need to store any credentials on the VM.
You can sign in to your account by using a system-wide managed identity that you enable on your VM, or by using the client ID, object ID, or resource ID of a user-assigned managed identity that you assign to your VM.
To learn more about how to enable a system-wide managed identity or create a user-assigned managed identity, see Configure managed identities for Azure resources on a VM using the Azure portal.
First, make sure that you enable a system-wide managed identity on your VM. For more information, see System-assigned managed identity.
Type the following command, and then press ENTER.
export AZCOPY_AUTO_LOGIN_TYPE=MSI$Env:AZCOPY_AUTO_LOGIN_TYPE="MSI"Then, run any azcopy command. For example: azcopy list https://contoso.blob.core.windows.net.
First, make sure that you enable a user-assigned managed identity on your VM. For more information, see User-assigned managed identity.
Type the following command, and then press ENTER.
export AZCOPY_AUTO_LOGIN_TYPE=MSI$Env:AZCOPY_AUTO_LOGIN_TYPE="MSI"Next, set environment variables for either the client ID, object ID, or resource ID of the user-assigned managed identity.
To authorize by using a client ID, type the following command, and then press ENTER.
export AZCOPY_MSI_CLIENT_ID=<client-id>$Env:AZCOPY_MSI_CLIENT_ID="<client-id>"Replace the <client-id> placeholder with the client ID of the user-assigned managed identity.
You can find the client ID in the Azure portal by viewing the properties of the managed identity. The following screenshot shows the location of the client ID property.
[!div class="mx-imgBorder"]
To authorize by using an object ID, type the following command, and then press ENTER.
export AZCOPY_MSI_OBJECT_ID=<object-id>$Env:AZCOPY_MSI_OBJECT_ID="<object-id>"Replace the <object-id> placeholder with the object ID of the user-assigned managed identity.
You can find the object ID in the Azure portal by viewing the properties of the managed identity. The following screenshot shows the location of the object ID (also called the principal ID).
[!div class="mx-imgBorder"]
To authorize by using a resource ID, type the following command, and then press ENTER.
export AZCOPY_MSI_RESOURCE_STRING=<resource-id>$Env:AZCOPY_MSI_RESOURCE_STRING="<resource-id>"Replace the <resource-id> placeholder with the resource ID of the user-assigned managed identity.
You can find the resource ID in the Azure portal by viewing the properties of the managed identity. The following screenshot shows the location of the resource ID property.
[!div class="mx-imgBorder"]
Instead of using in-memory variables, authorize access by using the azcopy login command.
The azcopy login command retrieves an OAuth token and then places that token into a secret store on your system. If your operating system doesn't have a secret store such as a Linux keyring, the azcopy authentication login command doesn't work because there's nowhere to place the token.
First, make sure that you enable a system-wide managed identity on your VM. For more information, see System-assigned managed identity.
Then, in your command console, type the following command, and then press the ENTER key.
azcopy login --identity
First, make sure that you enable a user-assigned managed identity on your VM. For more information, see User-assigned managed identity. Then, sign in by using either the client ID, object ID, or resource ID of the user-assigned managed identity.
Type the following command, and then press ENTER.
azcopy login --identity --identity-client-id "<client-id>"
Replace the <client-id> placeholder with the client ID of the user-assigned managed identity.
You can find the client ID in the Azure portal by viewing the properties of the managed identity. The following screenshot shows the location of the client ID property.
[!div class="mx-imgBorder"]
Type the following command, and then press ENTER.
azcopy login --identity --identity-object-id "<object-id>"
Replace the <object-id> placeholder with the object ID of the user-assigned managed identity.
You can find the object ID in the Azure portal by viewing the properties of the managed identity. The following screenshot shows the location of the object ID (also called the principal ID).
[!div class="mx-imgBorder"]
Type the following command, and then press ENTER.
azcopy login --identity --identity-resource-id "<resource-id>"
Replace the <resource-id> placeholder with the resource ID of the user-assigned managed identity.
You can find the resource ID in the Azure portal by viewing the properties of the managed identity. The following screenshot shows the location of the resource ID property.
[!div class="mx-imgBorder"]
When you sign in by using Azure CLI, Azure CLI gets an OAuth token that AzCopy uses to authorize operations.
To enable AzCopy to use that token, type the following command, and then press the ENTER key.
export AZCOPY_AUTO_LOGIN_TYPE=AZCLI
export AZCOPY_TENANT_ID=<tenant-id>$Env:AZCOPY_AUTO_LOGIN_TYPE="PSCRED"
$Env:AZCOPY_TENANT_ID="<tenant-id>"For more information about how to sign in by using the Azure CLI, see Sign into Azure with a managed identity using Azure CLI.
If you sign in by using Azure PowerShell, Azure PowerShell obtains an OAuth token that AzCopy can use to authorize operations.
To enable AzCopy to use that token, type the following command, and then press the ENTER key.
$Env:AZCOPY_AUTO_LOGIN_TYPE="PSCRED"
$Env:AZCOPY_TENANT_ID="<tenant-id>"For more information about how to sign in by using Azure PowerShell, see Login with a managed identity.
-
For more information about AzCopy, see Get started with AzCopy.
-
If you have questions, encounter problems, or have general feedback, submit them on GitHub.