Pulumi Official
Package maintained by Pulumi
v5.26.1 published on Monday, Jul 11, 2022 by Pulumi

The Pulumi AzureAD provider uses the AzureAD SDK to manage and provision resources.


The AzureAD provider is available as a package in all Pulumi languages:


Pulumi relies on the AzureAD SDK to authenticate requests from your computer to AzureAD. Your credentials are never sent to The Pulumi AzureAD Provider needs to be configured with AzureAD credentials before it can be used to create resources.

Pulumi can authenticate to Azure using a Service Principal or the Azure CLI.

If you’re running the Pulumi CLI locally, in a developer scenario, we recommend using the Azure CLI. For team environments, particularly in CI, a Service Principal is recommended.

Note: Authenticating using the CLI will not work for Service Principal logins (e.g., az login --service-principal). For such cases, authenticate using the Service Principal method instead.

CLI Authentication

Login to the Azure CLI and Pulumi will automatically use your credentials:

$ az login
The default web browser has been opened at Please continue
the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow
with `az login --use-device-code`.

Do as instructed to login. After completed, az login will return and you are ready to go.

Note: If you’re using Government, China, or German Clouds, you’ll need to configure the Azure CLI to work with that cloud. Do so by running az cloud set --name <Cloud>, where <Cloud> is one of AzureUSGovernment, AzureChinaCloud, or AzureGermanCloud.

The Azure CLI, and thus Pulumi, will use the Default Subscription by default, however it is possible to override the subscription, by simply setting your subscription ID to the id output from az account list’s output:

$ az account list

Pick out the <id> from the list and run:

$ az account set --subscription=<id>

Service Principal Authentication

A Service Principal is an application in Azure Active Directory with three authorization tokens: a client ID, a client secret, and a tenant ID. (These are often simply called appId, password, and tenant, respectively.) Using a Service Principal is the recommended way to connect Pulumi to Azure in a team or CI setting.

Configuring Authorization Tokens

Once the credetials are obtained, there are two ways to communicate your authorization tokens to Pulumi:

  1. Set the environment variables ARM_CLIENT_ID, ARM_CLIENT_SECRET and ARM_TENANT_ID respectively

  2. Set them using configuration

    $ pulumi config set azuread:clientId <clientID>
    $ pulumi config set azuread:clientSecret <clientSecret> --secret
    $ pulumi config set azuread:tenantId <tenantID>

Creating a Service Principal

To use a Service Principal, you must first create one. This can be done using the Azure CLI, the Azure Cloud Shell, or the Azure Portal. Please refer to the Azure documentation for detailed instructions:

After creating a Service Principal, you will obtain three important tokens, mapping to the three shown earlier:

  • appId is the client ID
  • password is the client secret
  • tenant is the tenant ID

For example, a common Service Principal as displayed by the Azure CLI looks something like this:

  "displayName": "ServicePrincipalName",
  "name": "http://ServicePrincipalName",

You also need to obtain a Subscription ID. To retrieve your current Subscription ID, you can use:

$ az account show --query id -o tsv

To list all available subscriptions, you can use:

$ az account list --query '[].{subscriptionName:name,subscriptionId:id}' -o tsv

The environment variables would then be set as such:


Or configuration variables, if you prefer that they be stored alongside your Pulumi stack for easy multi-user access:

$ pulumi config set azuread:clientId "WWWWWWWW-WWWW-WWWW-WWWW-WWWWWWWWWWWW"
$ pulumi config set azuread:clientSecret "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" --secret
$ pulumi config set azuread:tenantId "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"

Remember to pass --secret when setting clientSecret so that it is properly encrypted.