Azure CLI Cheat Sheet

Quick reference for commonly used commands

Azure CLI reference command article listMicrosoftLearn

Authentication

With App ID and client secret

az login --service-principal --username <user-name-xxxx-xxxx-xxxxxxxxxxxx> --password <password> --tenant <tenant>

## avoid displaying password 
read -sp "Azure password: " AZ_PASS && echo && az login --service-principal --username <app-id> --password $AZ_PASS --tenant <tenant>

With App ID and certificate

az login --service-principal --username <user-name> --certificate /path/to/cert.pem --tenant <tenant>

System-managed identities

az login --identity

User-managed identities (any option works)

az login --identity --client-id <client_id>
az login --identity --object-id <object_id>
az login --identity --resource-id <resource_id>

Identity Enumeration

Whoami

Look up current authenticated identity

az account show

az ad signed-in-user show

Look up a specific identity

az ad sp show --id <user-name-xxxx-xxxx-xxxxxxxxxxxx>

View Azure Role Assignments and Permissions

Users, Service Principals, Workload Identities, and Managed Identities can have Azure RBAC permissions assigned directly

Get assignee from az login ... | jq -r '.[].user.name

az role assignment list --assignee $az_user --all --include-inherited | jq -r '.[].roleDefinitionName' | while read rolename; do az role definition list --name "$rolename" | jq -r '.[]'; done

View Azure Role Assignments and Permissions (Group)

Users and Service Principals can have Azure RBAC permissions assigned via Group membership

View Entra ID Group Membership Info

Get all groups a user is a member of, returns group name(s), group ids, and more

az rest --method GET --url "https://graph.microsoft.com/v1.0/users/<user-email>/memberOf" --query "value[].displayName" -o table

Get the group id for a group name (also in the output of previous command)

az ad group show --group <group-name> --query id

View Azure Roles Assigned to Group

Get the role definition id(s) for roles assigned to the group

az role assignment list --assignee <group-id> --all --include-inherited

View Azure Role's Permissions

Get the Azure RBAC permissions assigned to the role

az role definition show --id "<role-definition-id"

Compute

Virtual Machines

List VM Extensions

az vm extension image list

Security

Key Vault

List Key Vault

az keyvault list

List Secrets in Key Vault

az keyvault secret list --vault-name <key-vault-name>

Retrieve Secrets from Key Vault

az keyvault secret show --vault-name <key-vault-name> --name <secret-name>

Storage

Storage Account

Enumerate Storage Account Access Keys

az storage account keys list --account-name <storage-account-name>

Enumerate Storage Accounts

az storage account list
az storage account list --resource-group <rg-name>

Storage Containers

List Storage Containers

Get account-name from az storage account list | jq -r '.[].name'

az storage container list --account-name <storage-acct-name>
az storage container list --account-name <storage-acct-name> --include-deleted

Restore Deleted Storage Container

az storage container restore --account-name <storage-acct-name> --name <container-name> --deleted-version <deleted-container-version>

Check if Versioning is Enabled on Container

Like AWS S3 objects, Azure supports versioning of data too

az storage account blob-service-properties show \
    --account-name <storage-acct-name> \
    --resource-group <rg-name> \

Blobs (files)

View Blobs in Container

Get container-name from az storage container list... jq -r '.[].name'

az storage blob list --account-name <storage-acct-name> --container-name <container-name> --output table

Check Available Blob Versions

--include v shows versions of the blobs

az storage blob list \
    --account-name <storage-acct-name> \
    --container-name <container-name> \
    --include v

Stream Blob Content

View file contents without downloading the file

az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download>

Get version-id from checking the blob versions

az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download> --version-id <blob-version>

Download Blobs

Downloads the file to the destination

az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download> --file ./<file-destination>

Get version-id from checking the blob versions

az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download> --file ./<file-destination> --version-id <blob-version>

Tables

List Storage Tables

az storage table list --account-name <storage-account-name> --auth-mode login

Query Storage Entities

These exist within a Storage Table

az storage entity query --account-name <storage-account-name> --table-name <table-name> --auth-mode login

PreviousAzure NextAzure Overview

Last updated 5 days ago

Was this helpful?