# Azure CLI Cheat Sheet {% embed url="" %} ## Authentication ### Login {% tabs %} {% tab title="Interactive Login" %} {% code overflow="wrap" %} ```zsh az login ## complete auth in web browser az login --use-device-code ## if no web browser available ``` {% endcode %} {% endtab %} {% tab title="Service Principal" %} * With App ID and client secret {% code overflow="wrap" %} ```zsh az login --service-principal --username --password --tenant ## avoid displaying password read -sp "Azure password: " AZ_PASS && echo && az login --service-principal --username --password $AZ_PASS --tenant ``` {% endcode %} * With App ID and certificate {% code overflow="wrap" %} ```zsh az login --service-principal --username --certificate /path/to/cert.pem --tenant ``` {% endcode %} {% endtab %} {% tab title="Managed Identity" %} * System-managed identities {% code overflow="wrap" %} ```zsh az login --identity ``` {% endcode %} * User-managed identities (any option works) {% code overflow="wrap" %} ```zsh az login --identity --client-id az login --identity --object-id az login --identity --resource-id ``` {% endcode %} {% endtab %} {% endtabs %} ## Identity Enumeration ### Whoami * Look up current authenticated identity {% code overflow="wrap" %} ```zsh az account show ``` {% endcode %} {% code overflow="wrap" %} ```zsh az ad signed-in-user show ``` {% endcode %} * Look up a specific identity {% code overflow="wrap" %} ```zsh az ad sp show --id ``` {% endcode %} ### View Azure Role Assignments and Permissions {% hint style="info" %} Users, Service Principals, Workload Identities, and Managed Identities can have Azure RBAC permissions assigned directly {% endhint %} * Get `assignee` from `az login ... | jq -r '.[].user.name` {% code overflow="wrap" %} ```zsh az role assignment list --assignee $az_user --all --include-inherited | jq -r '.[].roleDefinitionName' | while read rolename; do az role definition list --name "$rolename" | jq -r '.[]'; done ``` {% endcode %} ### View Azure Role Assignments and Permissions (Group) {% hint style="info" %} Users and Service Principals can have Azure RBAC permissions assigned via Group membership {% endhint %} #### View Entra ID Group Membership Info * Get all groups a user is a member of, returns group name(s), group ids, and more {% code overflow="wrap" %} ```zsh az rest --method GET --url "https://graph.microsoft.com/v1.0/users//memberOf" --query "value[].displayName" -o table ``` {% endcode %} * Get the group id for a group name (also in the output of previous command) {% code overflow="wrap" %} ```zsh az ad group show --group --query id ``` {% endcode %} #### View Azure Roles Assigned to Group * Get the role definition id(s) for roles assigned to the group {% code overflow="wrap" %} ```zsh az role assignment list --assignee --all --include-inherited ``` {% endcode %} #### View Azure Role's Permissions * Get the Azure RBAC permissions assigned to the role {% code overflow="wrap" %} ```zsh az role definition show --id " ``` {% endcode %} {% endtab %} {% tab title="CURL" %} {% code overflow="wrap" %} ```zsh curl -s -H "Authorization: Bearer $KV_TOKEN" "https://.vault.azure.net/secrets?api-version=7.4" ``` {% endcode %} {% endtab %} {% endtabs %} #### Retrieve Secrets from Key Vault {% tabs %} {% tab title="AZ CLI" %} {% code overflow="wrap" %} ```zsh az keyvault secret show --vault-name --name ``` {% endcode %} {% endtab %} {% tab title="CURL" %} {% code overflow="wrap" %} ```zsh curl -s -H "Authorization: Bearer $KV_TOKEN" "https://.vault.azure.net/secrets//?api-version=7.4" ``` {% endcode %} {% endtab %} {% endtabs %} *** ## Storage ### Storage Account #### Enumerate Storage Account Access Keys {% code overflow="wrap" %} ```zsh az storage account keys list --account-name ``` {% endcode %} #### Enumerate Storage Accounts {% code overflow="wrap" %} ```zsh az storage account list az storage account list --resource-group ``` {% endcode %} ### Storage Containers #### List Storage Containers * Get `account-name` from `az storage account list | jq -r '.[].name'` {% code overflow="wrap" %} ```zsh az storage container list --account-name az storage container list --account-name --include-deleted ``` {% endcode %} #### Restore Deleted Storage Container {% code overflow="wrap" %} ```zsh az storage container restore --account-name --name --deleted-version ``` {% endcode %} #### Check if Versioning is Enabled on Container * Like AWS S3 objects, Azure supports versioning of data too {% code overflow="wrap" %} ```zsh az storage account blob-service-properties show \ --account-name \ --resource-group \ ``` {% endcode %} ### Blobs (files) #### View Blobs in Container * Get `container-name` from `az storage container list... jq -r '.[].name'` {% code overflow="wrap" %} ```zsh az storage blob list --account-name --container-name --output table ``` {% endcode %} #### Check Available Blob Versions * `--include v` shows versions of the blobs {% code overflow="wrap" %} ```zsh az storage blob list \ --account-name \ --container-name \ --include v ``` {% endcode %} #### Stream Blob Content * View file contents without downloading the file {% code overflow="wrap" %} ```zsh az storage blob download --account-name --container-name --name ``` {% endcode %} * Get `version-id` from checking the [blob versions](#check-available-blob-versions) {% code overflow="wrap" %} ```zsh az storage blob download --account-name --container-name --name --version-id ``` {% endcode %} #### Download Blobs * Downloads the file to the destination {% code overflow="wrap" %} ```zsh az storage blob download --account-name --container-name --name --file ./ ``` {% endcode %} * Get `version-id` from checking the [blob versions](#check-available-blob-versions) {% code overflow="wrap" %} ```zsh az storage blob download --account-name --container-name --name --file ./ --version-id ``` {% endcode %} ### Tables #### List Storage Tables {% code overflow="wrap" %} ```zsh az storage table list --account-name --auth-mode login ``` {% endcode %} #### Query Storage Entities * These exist within a Storage Table {% code overflow="wrap" %} ```zsh az storage entity query --account-name --table-name --auth-mode login ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.techwithtyler.dev/cloud-security/azure/azure-cli-cheat-sheet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.