az commands as the target service principal through a Gateway, with every command logged. The secret never leaves Infisical.
Azure CLI accounts are available through the CLI and API only. There is no in-browser (web) access.
How It Works
Each account points at a single Microsoft Entra ID (Azure AD) service principal, identified by its tenant ID and client ID, with a client secret stored encrypted. When a user starts a session:- Infisical obtains short-lived access tokens for the service principal (via the OAuth 2.0 client-credentials grant), one per supported Azure plane: Resource Manager, Microsoft Graph, Key Vault, and Storage.
- The user’s
aztraffic is routed through a local proxy to the Infisical Gateway, which reaches Azure on their behalf. - The Gateway injects the token for the plane each request targets before forwarding it, so the user never handles a real credential. To
az, the local login only ever holds a placeholder token.
Creating an Account
Before adding the account, create a service principal in Azure and give it access.Create a service principal
In the Azure Portal, go to Microsoft Entra ID → App registrations → New registration, give it a name (e.g.,
infisical-pam), and register it. From the app’s Overview, record the Application (client) ID and Directory (tenant) ID.Create a client secret
In the app, go to Certificates & secrets → New client secret, then copy the secret Value immediately (it is shown only once). This is the secret you paste into Infisical, not the Secret ID.
Grant the service principal access
RBAC role assignments are made on the resource, not on the app. Open the subscription (or a resource group) you want to grant access to, go to Access control (IAM) → Add role assignment, pick a role (for example Reader), and on the Members tab select your app registration. Assign a more privileged role only if the session needs write access.
Start adding the account in Infisical
Go to Privileged Access Management → Accounts and click Add Account. Choose which folder to add the account to, then select an Azure CLI template.The template (or the account) must be assigned a Gateway: Azure traffic is proxied through it, so the Gateway needs outbound access on port
443 to login.microsoftonline.com, management.azure.com, graph.microsoft.com, *.vault.azure.net, and *.core.windows.net.Enter connection details and credentials
| Field | Description |
|---|---|
| Name | A descriptive name (e.g., prod-reader) |
| Tenant ID | The directory (tenant) ID, a GUID or a domain such as contoso.onmicrosoft.com |
| Subscription ID | Optional. The subscription the CLI session defaults to |
| Client ID | The application (client) ID of the service principal (a GUID) |
| Client Secret | A client secret for the service principal. Stored encrypted and never returned to clients |
Connecting
Use the CLI to start a session. This requires the Azure CLI (az) to be installed locally.
az login. Run az commands as normal:
exit to end the session (or press Ctrl+C, or wait for it to expire). The isolated session state is wiped when the session ends.
Flags:
--reason <reason>: provide an access reason (if required by the template)--duration <duration>: request a session duration (e.g.,30m), capped at the template maximum
An Azure session recording is a log of the HTTP requests and responses made to Azure during the session: each request’s method and URL, and its response body. Key Vault request and response bodies are redacted in the log, since they carry secret values.
Next Steps
GCP Service Account Accounts
Add GCP service account accounts.
Sessions
View and manage sessions.