Skip to main content
Azure CLI accounts let you broker credential-less access to Azure. Instead of handing out a service principal’s client secret, users request access through Infisical and run az commands as the target service principal through a Gateway, with every command logged. The secret never leaves Infisical.
Azure CLI accounts are available through the CLI and API only. There is no in-browser (web) access.

How It Works

Each account points at a single Microsoft Entra ID (Azure AD) service principal, identified by its tenant ID and client ID, with a client secret stored encrypted. When a user starts a session:
  1. Infisical obtains short-lived access tokens for the service principal (via the OAuth 2.0 client-credentials grant), one per supported Azure plane: Resource Manager, Microsoft Graph, Key Vault, and Storage.
  2. The user’s az traffic is routed through a local proxy to the Infisical Gateway, which reaches Azure on their behalf.
  3. The Gateway injects the token for the plane each request targets before forwarding it, so the user never handles a real credential. To az, the local login only ever holds a placeholder token.
A plane is only usable if the service principal has permission for it (RBAC for Resource Manager, Key Vault, and Storage; application permissions with admin consent for Microsoft Graph). Planes the principal can’t get a token for are simply not brokered.

Creating an Account

Before adding the account, create a service principal in Azure and give it access.
1

Create a service principal

In the Azure Portal, go to Microsoft Entra ID → App registrations → New registration, give it a name (e.g., infisical-pam), and register it. From the app’s Overview, record the Application (client) ID and Directory (tenant) ID.
2

Create a client secret

In the app, go to Certificates & secrets → New client secret, then copy the secret Value immediately (it is shown only once). This is the secret you paste into Infisical, not the Secret ID.
3

Grant the service principal access

RBAC role assignments are made on the resource, not on the app. Open the subscription (or a resource group) you want to grant access to, go to Access control (IAM) → Add role assignment, pick a role (for example Reader), and on the Members tab select your app registration. Assign a more privileged role only if the session needs write access.
4

Start adding the account in Infisical

Go to Privileged Access Management → Accounts and click Add Account. Choose which folder to add the account to, then select an Azure CLI template.The template (or the account) must be assigned a Gateway: Azure traffic is proxied through it, so the Gateway needs outbound access on port 443 to login.microsoftonline.com, management.azure.com, graph.microsoft.com, *.vault.azure.net, and *.core.windows.net.
5

Enter connection details and credentials

FieldDescription
NameA descriptive name (e.g., prod-reader)
Tenant IDThe directory (tenant) ID, a GUID or a domain such as contoso.onmicrosoft.com
Subscription IDOptional. The subscription the CLI session defaults to
Client IDThe application (client) ID of the service principal (a GUID)
Client SecretA client secret for the service principal. Stored encrypted and never returned to clients
6

Save

Click Create.

Connecting

Use the CLI to start a session. This requires the Azure CLI (az) to be installed locally.
infisical pam access my-folder/prod-reader
The command starts an isolated, authenticated shell for the session. It does not touch your own az login. Run az commands as normal:
az account show
az group list
Type exit to end the session (or press Ctrl+C, or wait for it to expire). The isolated session state is wiped when the session ends. Flags:
  • --reason <reason>: provide an access reason (if required by the template)
  • --duration <duration>: request a session duration (e.g., 30m), capped at the template maximum
An Azure session recording is a log of the HTTP requests and responses made to Azure during the session: each request’s method and URL, and its response body. Key Vault request and response bodies are redacted in the log, since they carry secret values.

Next Steps

GCP Service Account Accounts

Add GCP service account accounts.

Sessions

View and manage sessions.