Skip to main content

login

Log in to Microsoft 365

Usage

m365 login [options]

Options

-t, --authType [authType]

The type of authentication to use. Allowed values certificate, deviceCode, password, identity, browser, secret. Default deviceCode

-u, --userName [userName]

Name of the user to authenticate. Required when authType is set to password

-p, --password [password]

Password for the user or the certificate. Required when authType is set to password, or when authType is set to certificate and the provided certificate requires a password to open

-c, --certificateFile [certificateFile]

Path to the file with certificate private key. When authType is set to certificate, specify either certificateFile or certificateBase64Encoded

--certificateBase64Encoded [certificateBase64Encoded]

Base64-encoded string with certificate private key. When authType is set to certificate, specify either certificateFile or certificateBase64Encoded

--thumbprint [thumbprint]

Certificate thumbprint. If not specified, and authType is set to certificate, it will be automatically calculated based on the specified certificate

-s, --secret [secret]

Client Secret of the Microsoft Entra application to use for authentication. Required when authType is set to secret.

--appId [appId]

App ID of the Microsoft Entra application to use for authentication. If not specified, use the app specified in the CLIMICROSOFT365_ENTRAAPPID environment variable. If the environment variable is not defined, use the multitenant PnP Management Shell app

--tenant [tenant]

ID of the tenant from which accounts should be able to authenticate. Use common or organization if the app is multitenant. If not specified, use the tenant specified in the CLIMICROSOFT365_TENANT environment variable. If the environment variable is not defined, use common as the tenant identifier

--cloud [cloud]

Cloud to connect to. Allowed values Public, USGov, USGovHigh, USGovDoD and China. Default Public

--connectionName [connectionName]

Specify an optional name to make switching between connections easier.

-h, --help [help]

Output usage information. Optionally, specify which section of command's help you want to see. Allowed values are options, examples, remarks, response, full. Default is options.

--query [query]

JMESPath query string. See http://jmespath.org/ for more information and examples.

-o, --output [output]

Output type. json, text, csv, md, none. Default json.

--verbose

Runs command with verbose logging.

--debug

Runs command with debug logging.

Remarks

Using the login command you can log in to Microsoft 365.

By default, the login command uses device code OAuth flow to log in to Microsoft 365. Alternatively, you can authenticate using a user name and password or certificate, which are convenient for CI/CD scenarios, but which come with their own limitations. The default authType can be configured using m365 cli config set. This means you'll be able to run m365 login without specifying the --authType option.

When logging in to Microsoft 365 using the user name and password, next to the access and refresh token, the CLI for Microsoft 365 will store the user credentials so that it can automatically re-authenticate if necessary. Similarly to the tokens, the credentials are removed by re-authenticating using the device code or by calling the logout command.

When logging in to Microsoft 365 using a certificate, the CLI for Microsoft 365 will store the contents of the certificate so that it can automatically re-authenticate if necessary. The contents of the certificate are removed by re-authenticating using the device code or by calling the logout command.

To log in to Microsoft 365 using a certificate or secret, you will typically create a custom Microsoft Entra application. To use this application with the CLI for Microsoft 365, you will set the CLIMICROSOFT365_ENTRAAPPID environment variable to the application's ID and the CLIMICROSOFT365_TENANT environment variable to the ID of the Microsoft Entra tenant, where you created the Microsoft Entra application. Also, please make sure to read about the caveats when using the certificate login option.

Managed identity in Azure Cloud Shell is the identity of the user. It is neither system- nor user-assigned and it can't be configured. To log in to Microsoft 365 using managed identity in Azure Cloud Shell, set authType to identity and don't specify the userName option.

When connecting to clouds other than Public, you'll need to use a Microsoft Entra application registered in a directory provisioned in that cloud. If you try to login using the default Microsoft Entra application, login will fail.

tip

When signing in with multiple identities, every signin will be saved as a connection. You can list available connections using m365 connection list and switch between connections using m365 connection use

Examples

Log in to Microsoft 365 using the device code

m365 login

Log in to Microsoft 365 using the device code and set the connection name

m365 login --connectionName 'myworkaccount'

Log in to Microsoft 365 using the device code in debug mode including detailed debug information in the console output

m365 login --debug

Log in to Microsoft 365 using a user name and password

m365 login --authType password --userName user@contoso.com --password pass@word1

Log in to Microsoft 365 using a PEM certificate

m365 login --authType certificate --certificateFile /Users/user/dev/localhost.pem

Log in to Microsoft 365 using a PEM certificate. Use the specified thumbprint

m365 login --authType certificate --certificateFile /Users/user/dev/localhost.pem  --thumbprint 47C4885736C624E90491F32B98855AA8A7562AF1

Log in to Microsoft 365 using a personal information exchange (.pfx) file

m365 login --authType certificate --certificateFile /Users/user/dev/localhost.pfx --password 'pass@word1'

Log in to Microsoft 365 using a personal information exchange (.pfx) file protected with an empty password

m365 login --authType certificate --certificateFile /Users/user/dev/localhost.pfx --password

Log in to Microsoft 365 using a personal information exchange (.pfx) file not protected with a password

m365 login --authType certificate --certificateFile /Users/user/dev/localhost.pfx

Log in to Microsoft 365 using a personal information exchange (.pfx) file. Use the specified thumbprint

m365 login --authType certificate --certificateFile /Users/user/dev/localhost.pfx --thumbprint 47C4885736C624E90491F32B98855AA8A7562AF1 --password 'pass@word1'

Log in to Microsoft 365 using a certificate from a base64-encoded string

m365 login --authType certificate --certificateBase64Encoded MIII2QIBAzCCCJ8GCSqGSIb3DQEHAaCCCJAEg...eX1N5AgIIAA== --thumbprint D0C9B442DE249F55D10CDA1A2418952DC7D407A3

Log in to Microsoft 365 using a system assigned managed identity. Applies to Azure resources with managed identity enabled, such as Azure Virtual Machines, Azure App Service or Azure Functions

m365 login --authType identity

Log in to Microsoft 365 using managed identity in Azure Cloud Shell. Uses the identity of the current user.

m365 login --authType identity

Log in to Microsoft 365 using a user-assigned managed identity. Client id or principal id also known as object id value can be specified in the userName option. Applies to Azure resources with managed identity enabled, such as Azure Virtual Machines, Azure App Service or Azure Functions

m365 login --authType identity --userName ac9fbed5-804c-4362-a369-21a4ec51109e

Log in to Microsoft 365 using your own multitenant Microsoft Entra application

m365 login --appId 31359c7f-bd7e-475c-86db-fdb8c937548c

Log in to Microsoft 365 using your own Microsoft Entra application that's restricted only to allow accounts from the specific tenant

m365 login --appId 31359c7f-bd7e-475c-86db-fdb8c937548c --tenant 31359c7f-bd7e-475c-86db-fdb8c937548a

Log in to Microsoft 365 using your own Microsoft Entra application and a personal information exchange (.pfx) file

m365 login --authType certificate --appId 31359c7f-bd7e-475c-86db-fdb8c937548c --tenant 31359c7f-bd7e-475c-86db-fdb8c937548a --certificateFile /Users/user/dev/localhost.pfx --password 'pass@word1'

Log in to Microsoft 365 using the interactive browser authentication. Uses the identity of the current user.

m365 login --authType browser

Log in to Microsoft 365 using a client secret.

m365 login --authType secret --secret topSeCr3t@007

Response

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CQBMTLEFC to authenticate.

Upon successful login:

{
"connectionName": "dd8b99a7-77c6-4238-a609-396d27844921",
"connectedAs": "john.doe@contoso.onmicrosoft.com",
"authType": "DeviceCode",
"appId": "31359c7f-bd7e-475c-86db-fdb8c937548e",
"appTenant": "common",
"cloudType": "Public"
}
CTRL + M