# Azure CLI Cheat Sheet

{% embed url="<https://learn.microsoft.com/en-us/cli/azure/reference-docs-index?view=azure-cli-latest>" %}

## Authentication

### Login

{% tabs %}
{% tab title="Interactive Login" %}
{% code overflow="wrap" %}

```zsh
az login ## complete auth in web browser
az login --use-device-code ## if no web browser available
```

{% endcode %}
{% endtab %}

{% tab title="Service Principal" %}

* With App ID and client secret

{% code overflow="wrap" %}

```zsh
az login --service-principal --username <user-name-xxxx-xxxx-xxxxxxxxxxxx> --password <password> --tenant <tenant>

## avoid displaying password 
read -sp "Azure password: " AZ_PASS && echo && az login --service-principal --username <app-id> --password $AZ_PASS --tenant <tenant>
```

{% endcode %}

* With App ID and certificate

{% code overflow="wrap" %}

```zsh
az login --service-principal --username <user-name> --certificate /path/to/cert.pem --tenant <tenant>
```

{% endcode %}
{% endtab %}

{% tab title="Managed Identity" %}

* System-managed identities&#x20;

{% code overflow="wrap" %}

```zsh
az login --identity
```

{% endcode %}

* User-managed identities (any option works)

{% code overflow="wrap" %}

```zsh
az login --identity --client-id <client_id>
az login --identity --object-id <object_id>
az login --identity --resource-id <resource_id>
```

{% endcode %}
{% endtab %}
{% endtabs %}

## Identity Enumeration

### Whoami

* Look up current authenticated identity

{% code overflow="wrap" %}

```zsh
az account show
```

{% endcode %}

{% code overflow="wrap" %}

```zsh
az ad signed-in-user show
```

{% endcode %}

* Look up a specific identity&#x20;

{% code overflow="wrap" %}

```zsh
az ad sp show --id <user-name-xxxx-xxxx-xxxxxxxxxxxx>
```

{% endcode %}

### View Azure Role Assignments and Permissions

{% hint style="info" %}
Users, Service Principals, Workload Identities, and Managed Identities can have Azure RBAC permissions assigned directly
{% endhint %}

* Get `assignee` from `az login ... | jq -r '.[].user.name`

{% code overflow="wrap" %}

```zsh
az role assignment list --assignee $az_user --all --include-inherited | jq -r '.[].roleDefinitionName' | while read rolename; do az role definition list --name "$rolename" | jq -r '.[]'; done
```

{% endcode %}

### View Azure Role Assignments and Permissions (Group)

{% hint style="info" %}
Users and Service Principals can have Azure RBAC permissions assigned via Group membership
{% endhint %}

#### View Entra ID Group Membership Info

* Get all groups a user is a member of, returns group name(s), group ids, and more

{% code overflow="wrap" %}

```zsh
az rest --method GET --url "https://graph.microsoft.com/v1.0/users/<user-email>/memberOf" --query "value[].displayName" -o table
```

{% endcode %}

* Get the group id for a group name (also in the output of previous command)

{% code overflow="wrap" %}

```zsh
az ad group show --group <group-name> --query id
```

{% endcode %}

#### View Azure Roles Assigned to Group

* Get the role definition id(s) for roles assigned to the group

{% code overflow="wrap" %}

```zsh
az role assignment list --assignee <group-id> --all --include-inherited
```

{% endcode %}

#### View Azure Role's Permissions

* Get the Azure RBAC permissions assigned to the role&#x20;

{% code overflow="wrap" %}

```zsh
az role definition show --id "<role-definition-id"
```

{% endcode %}

***

## Compute

### Virtual Machines

#### List VM Extensions

{% code overflow="wrap" %}

```zsh
az vm extension image list
```

{% endcode %}

***

## Security

### Key Vault

#### List Key Vault

{% code overflow="wrap" %}

```zsh
az keyvault list
```

{% endcode %}

#### List Secrets in Key Vault

{% tabs %}
{% tab title="AZ CLI" %}
{% code overflow="wrap" %}

```zsh
az keyvault secret list --vault-name <key-vault-name>
```

{% endcode %}
{% endtab %}

{% tab title="CURL" %}
{% code overflow="wrap" %}

```zsh
curl -s -H "Authorization: Bearer $KV_TOKEN" "https://<key-vault-name>.vault.azure.net/secrets?api-version=7.4"
```

{% endcode %}
{% endtab %}
{% endtabs %}

#### Retrieve Secrets from Key Vault

{% tabs %}
{% tab title="AZ CLI" %}
{% code overflow="wrap" %}

```zsh
az keyvault secret show --vault-name <key-vault-name> --name <secret-name>
```

{% endcode %}
{% endtab %}

{% tab title="CURL" %}
{% code overflow="wrap" %}

```zsh
curl -s -H "Authorization: Bearer $KV_TOKEN" "https://<key-vault-name>.vault.azure.net/secrets/<secret-name>/?api-version=7.4"
```

{% endcode %}
{% endtab %}
{% endtabs %}

***

## Storage

### Storage Account

#### Enumerate Storage Account Access Keys

{% code overflow="wrap" %}

```zsh
az storage account keys list --account-name <storage-account-name>
```

{% endcode %}

#### Enumerate Storage Accounts

{% code overflow="wrap" %}

```zsh
az storage account list
az storage account list --resource-group <rg-name>
```

{% endcode %}

### Storage Containers

#### List Storage Containers

* Get `account-name` from `az storage account list | jq -r '.[].name'`

{% code overflow="wrap" %}

```zsh
az storage container list --account-name <storage-acct-name>
az storage container list --account-name <storage-acct-name> --include-deleted 
```

{% endcode %}

#### Restore Deleted Storage Container

{% code overflow="wrap" %}

```zsh
az storage container restore --account-name <storage-acct-name> --name <container-name> --deleted-version <deleted-container-version>
```

{% endcode %}

#### Check if Versioning is Enabled on Container

* Like AWS S3 objects, Azure supports versioning of data too&#x20;

{% code overflow="wrap" %}

```zsh
az storage account blob-service-properties show \
    --account-name <storage-acct-name> \
    --resource-group <rg-name> \
```

{% endcode %}

### Blobs (files)

#### View Blobs in Container

* Get `container-name` from `az storage container list...  jq -r '.[].name'`

{% code overflow="wrap" %}

```zsh
az storage blob list --account-name <storage-acct-name> --container-name <container-name> --output table
```

{% endcode %}

#### Check Available Blob Versions

* `--include v` shows versions of the blobs

{% code overflow="wrap" %}

```zsh
az storage blob list \
    --account-name <storage-acct-name> \
    --container-name <container-name> \
    --include v
```

{% endcode %}

#### Stream Blob Content

* View file contents without downloading the file

{% code overflow="wrap" %}

```zsh
az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download>
```

{% endcode %}

* Get `version-id` from checking the [blob versions](#check-available-blob-versions)

{% code overflow="wrap" %}

```zsh
az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download> --version-id <blob-version>
```

{% endcode %}

#### Download Blobs

* Downloads the file to the destination

{% code overflow="wrap" %}

```zsh
az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download> --file ./<file-destination>
```

{% endcode %}

* Get `version-id` from checking the [blob versions](#check-available-blob-versions)

{% code overflow="wrap" %}

```zsh
az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download> --file ./<file-destination> --version-id <blob-version>
```

{% endcode %}

### Tables

#### List Storage Tables

{% code overflow="wrap" %}

```zsh
az storage table list --account-name <storage-account-name> --auth-mode login
```

{% endcode %}

#### Query Storage Entities

* These exist within a Storage Table

{% code overflow="wrap" %}

```zsh
az storage entity query --account-name <storage-account-name> --table-name <table-name> --auth-mode login
```

{% endcode %}