The plugin supports three distinct authentication types, including Azure CLI integration, service principal, and raw tokens.

Service Principal

Service principal must be provided via environment variables.

You can create a service principal with Azure CLI as follows:

# select correct subscription
az account set -s "my subscription name"

# create service principal
az ad sp create-for-rbac --name <name> --password <password>

This will yield something like:

  "appId": appid,
  "displayName": name,
  "name": name,
  "password": password,
  "tenant": guid

You will need to map it to environment variables for Custodian like this:


If you’re using a Service Principal across subscriptions with c7n-org you’ll need to grant it access to each of the subscriptions.

Once the service principal is created, follow these steps:

  • Open the Subscriptions tab
  • Select a subscription you’d like to manage with Cloud Custodian
  • Click Access Control (IAM)
  • Click Add
  • Set Role to Contributor
  • Type name of service principal in search bar and select it
  • Click Save

If this service principal will be writing logs to storage or leveraging queues for mailer you should also assign Storage roles, either at the subscription level or resource group/storage account level.

  • Blob Data Contributor
  • Queue Data Contributor

Access Token

Passing access tokens directly is useful for integration or fake test authentication.

For fake test authentication environment variables should be configured as shown below:


You will also find this configuration in tox.ini.