docs/documentation/platform/pam/accounts/azure-cli.mdx
Azure CLI accounts let you broker credential-less access to Azure. Instead of handing out a service principal's client secret, users request access through Infisical and run az commands as the target service principal through a Gateway, with every command logged. The secret never leaves Infisical.
Each account points at a single Microsoft Entra ID (Azure AD) service principal, identified by its tenant ID and client ID, with a client secret stored encrypted. When a user starts a session:
az traffic is routed through a local proxy to the Infisical Gateway, which reaches Azure on their behalf.az, the local login only ever holds a placeholder token.A plane is only usable if the service principal has permission for it (RBAC for Resource Manager, Key Vault, and Storage; application permissions with admin consent for Microsoft Graph). Planes the principal can't get a token for are simply not brokered.
Before adding the account, create a service principal in Azure and give it access.
<Steps> <Step title="Create a service principal"> In the Azure Portal, go to **Microsoft Entra ID → App registrations → New registration**, give it a name (e.g., `infisical-pam`), and register it. From the app's **Overview**, record the **Application (client) ID** and **Directory (tenant) ID**. </Step> <Step title="Create a client secret"> In the app, go to **Certificates & secrets → New client secret**, then copy the secret **Value** immediately (it is shown only once). This is the secret you paste into Infisical, not the Secret ID. </Step> <Step title="Grant the service principal access"> RBAC role assignments are made on the resource, not on the app. Open the subscription (or a resource group) you want to grant access to, go to **Access control (IAM) → Add role assignment**, pick a role (for example **Reader**), and on the **Members** tab select your app registration. Assign a more privileged role only if the session needs write access. </Step> <Step title="Start adding the account in Infisical"> Go to **Privileged Access Management → Accounts** and click **Add Account**. Choose which [folder](/documentation/platform/pam/folders/overview) to add the account to, then select an Azure CLI [template](/documentation/platform/pam/templates/overview).The template (or the account) must be assigned a [Gateway](/documentation/platform/gateways/overview): Azure traffic is proxied through it, so the Gateway needs outbound access on port `443` to `login.microsoftonline.com`, `management.azure.com`, `graph.microsoft.com`, `*.vault.azure.net`, and `*.core.windows.net`.
Use the CLI to start a session. This requires the Azure CLI (az) to be installed locally.
infisical pam access my-folder/prod-reader
The command starts an isolated, authenticated shell for the session. It does not touch your own az login. Run az commands as normal:
az account show
az group list
Type exit to end the session (or press Ctrl+C, or wait for it to expire). The isolated session state is wiped when the session ends.
Flags:
--reason <reason>: provide an access reason (if required by the template)--duration <duration>: request a session duration (e.g., 30m), capped at the template maximum