login
Log in to Microsoft 365
Usage
m365 login [options]
Options
-t, --authType [authType]
The type of authentication to use. Allowed values
certificate
,deviceCode
,password
,identity
,browser
,secret
. DefaultdeviceCode
-u, --userName [userName]
Name of the user to authenticate. Required when
authType
is set topassword
-p, --password [password]
Password for the user or the certificate. Required when
authType
is set topassword
, or whenauthType
is set tocertificate
and the provided certificate requires a password to open-c, --certificateFile [certificateFile]
Path to the file with certificate private key. When
authType
is set tocertificate
, specify eithercertificateFile
orcertificateBase64Encoded
--certificateBase64Encoded [certificateBase64Encoded]
Base64-encoded string with certificate private key. When
authType
is set tocertificate
, specify eithercertificateFile
orcertificateBase64Encoded
--thumbprint [thumbprint]
Certificate thumbprint. If not specified, and
authType
is set tocertificate
, it will be automatically calculated based on the specified certificate-s, --secret [secret]
Client Secret of the Microsoft Entra application to use for authentication. Required when
authType
is set tosecret
.--appId [appId]
App ID of the Microsoft Entra application to use for authentication. If not specified, use the app specified in the
CLIMICROSOFT365_ENTRAAPPID
environment variable. If the environment variable is not defined, use the multitenant PnP Management Shell app--tenant [tenant]
ID of the tenant from which accounts should be able to authenticate. Use
common
ororganization
if the app is multitenant. If not specified, use the tenant specified in theCLIMICROSOFT365_TENANT
environment variable. If the environment variable is not defined, usecommon
as the tenant identifier--cloud [cloud]
Cloud to connect to. Allowed values
Public
,USGov
,USGovHigh
,USGovDoD
andChina
. DefaultPublic
--connectionName [connectionName]
Specify an optional name to make switching between connections easier.
-h, --help [help]
Output usage information. Optionally, specify which section of command's help you want to see. Allowed values are
options
,examples
,remarks
,response
,full
. Default isoptions
.--query [query]
JMESPath query string. See http://jmespath.org/ for more information and examples.
-o, --output [output]
Output type.
json
,text
,csv
,md
,none
. Defaultjson
.--verbose
Runs command with verbose logging.
--debug
Runs command with debug logging.
Remarks
Using the login
command you can log in to Microsoft 365.
By default, the login
command uses device code OAuth flow to log in to Microsoft 365. Alternatively, you can authenticate using a user name and password or certificate, which are convenient for CI/CD scenarios, but which come with their own limitations. The default authType
can be configured using m365 cli config set
. This means you'll be able to run m365 login
without specifying the --authType
option.
When logging in to Microsoft 365 using the user name and password, next to the access and refresh token, the CLI for Microsoft 365 will store the user credentials so that it can automatically re-authenticate if necessary. Similarly to the tokens, the credentials are removed by re-authenticating using the device code or by calling the logout command.
When logging in to Microsoft 365 using a certificate, the CLI for Microsoft 365 will store the contents of the certificate so that it can automatically re-authenticate if necessary. The contents of the certificate are removed by re-authenticating using the device code or by calling the logout command.
To log in to Microsoft 365 using a certificate or secret, you will typically create a custom Microsoft Entra application. To use this application with the CLI for Microsoft 365, you will set the CLIMICROSOFT365_ENTRAAPPID
environment variable to the application's ID and the CLIMICROSOFT365_TENANT
environment variable to the ID of the Microsoft Entra tenant, where you created the Microsoft Entra application. Also, please make sure to read about the caveats when using the certificate login option.
Managed identity in Azure Cloud Shell is the identity of the user. It is neither system- nor user-assigned and it can't be configured. To log in to Microsoft 365 using managed identity in Azure Cloud Shell, set authType
to identity
and don't specify the userName
option.
When connecting to clouds other than Public
, you'll need to use a Microsoft Entra application registered in a directory provisioned in that cloud. If you try to login using the default Microsoft Entra application, login will fail.
When signing in with multiple identities, every signin will be saved as a connection. You can list available connections using m365 connection list and switch between connections using m365 connection use
Examples
Log in to Microsoft 365 using the device code
m365 login
Log in to Microsoft 365 using the device code and set the connection name
m365 login --connectionName 'myworkaccount'
Log in to Microsoft 365 using the device code in debug mode including detailed debug information in the console output
m365 login --debug
Log in to Microsoft 365 using a user name and password
m365 login --authType password --userName user@contoso.com --password pass@word1
Log in to Microsoft 365 using a PEM certificate
m365 login --authType certificate --certificateFile /Users/user/dev/localhost.pem
Log in to Microsoft 365 using a PEM certificate. Use the specified thumbprint
m365 login --authType certificate --certificateFile /Users/user/dev/localhost.pem --thumbprint 47C4885736C624E90491F32B98855AA8A7562AF1
Log in to Microsoft 365 using a personal information exchange (.pfx) file
m365 login --authType certificate --certificateFile /Users/user/dev/localhost.pfx --password 'pass@word1'
Log in to Microsoft 365 using a personal information exchange (.pfx) file protected with an empty password
m365 login --authType certificate --certificateFile /Users/user/dev/localhost.pfx --password
Log in to Microsoft 365 using a personal information exchange (.pfx) file not protected with a password
m365 login --authType certificate --certificateFile /Users/user/dev/localhost.pfx
Log in to Microsoft 365 using a personal information exchange (.pfx) file. Use the specified thumbprint
m365 login --authType certificate --certificateFile /Users/user/dev/localhost.pfx --thumbprint 47C4885736C624E90491F32B98855AA8A7562AF1 --password 'pass@word1'
Log in to Microsoft 365 using a certificate from a base64-encoded string
m365 login --authType certificate --certificateBase64Encoded MIII2QIBAzCCCJ8GCSqGSIb3DQEHAaCCCJAEg...eX1N5AgIIAA== --thumbprint D0C9B442DE249F55D10CDA1A2418952DC7D407A3
Log in to Microsoft 365 using a system assigned managed identity. Applies to Azure resources with managed identity enabled, such as Azure Virtual Machines, Azure App Service or Azure Functions
m365 login --authType identity
Log in to Microsoft 365 using managed identity in Azure Cloud Shell. Uses the identity of the current user.
m365 login --authType identity
Log in to Microsoft 365 using a user-assigned managed identity. Client id or principal id also known as object id value can be specified in the userName
option. Applies to Azure resources with managed identity enabled, such as Azure Virtual Machines, Azure App Service or Azure Functions
m365 login --authType identity --userName ac9fbed5-804c-4362-a369-21a4ec51109e
Log in to Microsoft 365 using your own multitenant Microsoft Entra application
m365 login --appId 31359c7f-bd7e-475c-86db-fdb8c937548c
Log in to Microsoft 365 using your own Microsoft Entra application that's restricted only to allow accounts from the specific tenant
m365 login --appId 31359c7f-bd7e-475c-86db-fdb8c937548c --tenant 31359c7f-bd7e-475c-86db-fdb8c937548a
Log in to Microsoft 365 using your own Microsoft Entra application and a personal information exchange (.pfx) file
m365 login --authType certificate --appId 31359c7f-bd7e-475c-86db-fdb8c937548c --tenant 31359c7f-bd7e-475c-86db-fdb8c937548a --certificateFile /Users/user/dev/localhost.pfx --password 'pass@word1'
Log in to Microsoft 365 using the interactive browser authentication. Uses the identity of the current user.
m365 login --authType browser
Log in to Microsoft 365 using a client secret.
m365 login --authType secret --secret topSeCr3t@007
Response
- JSON
- Text
- CSV
- Markdown
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CQBMTLEFC to authenticate.
Upon successful login:
{
"connectionName": "dd8b99a7-77c6-4238-a609-396d27844921",
"connectedAs": "john.doe@contoso.onmicrosoft.com",
"authType": "DeviceCode",
"appId": "31359c7f-bd7e-475c-86db-fdb8c937548e",
"appTenant": "common",
"cloudType": "Public"
}
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CQBMTLEFC to authenticate.
Upon successful login:
appId : 31359c7f-bd7e-475c-86db-fdb8c937548e
appTenant : common
authType : DeviceCode
cloudType : Public
connectedAs : john.doe@contoso.onmicrosoft.com
connectionName: dd8b99a7-77c6-4238-a609-396d27844921
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CQBMTLEFC to authenticate.
Upon successful login:
connectionName,connectedAs,authType,appId,appTenant,cloudType
dd8b99a7-77c6-4238-a609-396d27844921,john.doe@contoso.onmicrosoft.com,DeviceCode,31359c7f-bd7e-475c-86db-fdb8c937548e,common,Public
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CQBMTLEFC to authenticate.
Upon successful login:
# login
Date: 7/2/2023
Property | Value
---------|-------
connectionName | dd8b99a7-77c6-4238-a609-396d27844921
connectedAs | john.doe@contoso.onmicrosoft.com
authType | DeviceCode
appId | 31359c7f-bd7e-475c-86db-fdb8c937548e
appTenant | common
cloudType | Public