Azure CLI Cheat Sheet

Quick reference for commonly used commands

Azure CLI reference command article listMicrosoftLearn

Authentication

With App ID and client secret

az login --service-principal --username <user-name-xxxx-xxxx-xxxxxxxxxxxx> --password <password> --tenant <tenant>

## avoid displaying password 
read -sp "Azure password: " AZ_PASS && echo && az login --service-principal --username <app-id> --password $AZ_PASS --tenant <tenant>

With App ID and certificate

az login --service-principal --username <user-name> --certificate /path/to/cert.pem --tenant <tenant>

System-managed identities

az login --identity

User-managed identities (any option works)

az login --identity --client-id <client_id>
az login --identity --object-id <object_id>
az login --identity --resource-id <resource_id>

Identity Enumeration

Whoami

Look up current authenticated identity

az account show

az ad signed-in-user show

Look up a specific identity

az ad sp show --id <user-name-xxxx-xxxx-xxxxxxxxxxxx>

View Azure Role Assignments and Permissions

Users, Service Principals, Workload Identities, and Managed Identities can have Azure RBAC permissions assigned directly

Get assignee from az login ... | jq -r '.[].user.name

az role assignment list --assignee $az_user --all --include-inherited | jq -r '.[].roleDefinitionName' | while read rolename; do az role definition list --name "$rolename" | jq -r '.[]'; done

View Azure Role Assignments and Permissions (Group)

Users and Service Principals can have Azure RBAC permissions assigned via Group membership

View Entra ID Group Membership Info

Get all groups a user is a member of, returns group name(s), group ids, and more

az rest --method GET --url "https://graph.microsoft.com/v1.0/users/<user-email>/memberOf" --query "value[].displayName" -o table

Get the group id for a group name (also in the output of previous command)

az ad group show --group <group-name> --query id

View Azure Roles Assigned to Group

Get the role definition id(s) for roles assigned to the group

az role assignment list --assignee <group-id> --all --include-inherited

View Azure Role's Permissions

Get the Azure RBAC permissions assigned to the role

az role definition show --id "<role-definition-id"

Compute

Virtual Machines

List VM Extensions

az vm extension image list

Security

Key Vault

List Key Vault

az keyvault list

List Secrets in Key Vault

az keyvault secret list --vault-name <key-vault-name>

Retrieve Secrets from Key Vault

az keyvault secret show --vault-name <key-vault-name> --name <secret-name>

Storage

Storage Account

Enumerate Storage Account Access Keys

az storage account keys list --account-name <storage-account-name>

Enumerate Storage Accounts

az storage account list
az storage account list --resource-group <rg-name>

Storage Containers

List Storage Containers

Get account-name from az storage account list | jq -r '.[].name'

az storage container list --account-name <storage-acct-name>
az storage container list --account-name <storage-acct-name> --include-deleted

Restore Deleted Storage Container

az storage container restore --account-name <storage-acct-name> --name <container-name> --deleted-version <deleted-container-version>

Check if Versioning is Enabled on Container

Like AWS S3 objects, Azure supports versioning of data too

az storage account blob-service-properties show \
    --account-name <storage-acct-name> \
    --resource-group <rg-name> \

Blobs (files)

View Blobs in Container

Get container-name from az storage container list... jq -r '.[].name'

az storage blob list --account-name <storage-acct-name> --container-name <container-name> --output table

Check Available Blob Versions

--include v shows versions of the blobs

az storage blob list \
    --account-name <storage-acct-name> \
    --container-name <container-name> \
    --include v

Stream Blob Content

View file contents without downloading the file

az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download>

Get version-id from checking the blob versions

az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download> --version-id <blob-version>

Download Blobs

Downloads the file to the destination

az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download> --file ./<file-destination>

Get version-id from checking the blob versions

az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download> --file ./<file-destination> --version-id <blob-version>

Tables

List Storage Tables

az storage table list --account-name <storage-account-name> --auth-mode login

Query Storage Entities

These exist within a Storage Table

az storage entity query --account-name <storage-account-name> --table-name <table-name> --auth-mode login

PreviousAzure NextAzure Overview

Last updated 1 month ago

hashtagAuthentication

hashtagLogin

hashtagIdentity Enumeration

hashtagWhoami

hashtagView Azure Role Assignments and Permissions

hashtagView Azure Role Assignments and Permissions (Group)

hashtagView Entra ID Group Membership Info

hashtagView Azure Roles Assigned to Group

hashtagView Azure Role's Permissions

hashtagCompute

hashtagVirtual Machines

hashtagList VM Extensions

hashtagSecurity

hashtagKey Vault

hashtagList Key Vault

hashtagList Secrets in Key Vault

hashtagRetrieve Secrets from Key Vault

hashtagStorage

hashtagStorage Account

hashtagEnumerate Storage Account Access Keys

hashtagEnumerate Storage Accounts

hashtagStorage Containers

hashtagList Storage Containers

hashtagRestore Deleted Storage Container

hashtagCheck if Versioning is Enabled on Container

hashtagBlobs (files)

hashtagView Blobs in Container

hashtagCheck Available Blob Versions

hashtagStream Blob Content

hashtagDownload Blobs

hashtagTables

hashtagList Storage Tables

hashtagQuery Storage Entities