How to Copy Azure Storage Account Files with AzCopy and Azure AD Credentials

In the last couple of weeks, you might have seen that I wrote a couple of blog posts on how to manage Azure with AzCopy. Including how you can upload files to Azure Blob Storage container with PowerShell, sync files to Azure or even migrate AWS S3 buckets to Azure. In most cases you have used AzCopy, you might have used SAS tokens, with AzCopy v10 however you can also use accounts and service principals.

against Azure with AzCopy using accounts is simple. You can use the AzCopy login command:

azcopy login

If your account is in multiple tenant, you can also add the specific tenant ID.


You can find your tenant ID, login to the Azure Portal, go to Azure Active Directory -> Properties; there you find your Directory/Tenant ID.

After running this command, you will need to open the device login page and enter your code to authenticate. If you signed-in correctly, you will see the following page:

Azure Device Login Page.jpg

Set the right permissions

Important, to interact with the Azure Account, you will need to set the right permissions for the account, even if you are the account owner.

If you want to download files from Azure , make sure that your user identity has the Storage Blob Data Reader role assigned. If you want to upload files, you will need to assign Storage Blob Data Contributor or Storage Blob Data Owner.

You can assign these roles on different scopes, with more and less granularity.

  • Container (file system)
  • account
  • Resource group
  • Subscription

With the right permissions and login, you can now easily upload and download files from your Azure Storage Account using AzCopy and your Azure AD credentials.

AzCopy Login Copy Files Azure AD.jpg

azcopy copy “C:tempimages” “" --recursive=true

If you are like me and you get the following error:

“RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.”

AzCopy Copy Failed 403 permission.jpg

You don't have the right permissions, and you will need to see grant access to Azure blob and queue data with RBAC in the Azure portal, Azure CLI or Azure PowerShell.

I hope this article helps you, especially when you didn't configure the necessary permissions, or your account is in multiple Azure AD tenants. If you have any questions, please let me know in the comments.


This article was originally published by Microsoft's Entra (Azure AD) Blog. You can find the original article here.