From 9a04d1bb85b38be224b8db8aac60a60149196719 Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Mon, 5 Sep 2022 12:15:26 +0200
Subject: [PATCH] Added examples to the Azure CLI's KB

---
 knowledge base/az.md | 193 +++++++++++++++++++++++++++++++++++++------
 1 file changed, 169 insertions(+), 24 deletions(-)

diff --git a/knowledge base/az.md b/knowledge base/az.md
index 2aa025b..724c592 100644
--- a/knowledge base/az.md	
+++ b/knowledge base/az.md	
@@ -3,48 +3,193 @@
 ## TL;DR
 
 ```sh
-# login
-az login
+# Install the CLI.
+brew install azure-cli
+asdf plugin add azure-cli && asdf install azure-cli 2.37.0
 
-# check a user's permissions
+# Login to Azure.
+az login
+az login -u username -p password
+az login --service-principal -u app_id -p password_or_certificate --tenant tenant_id
+az login --identity --username client_id   # or object_id or resource_id
+
+# Gather information on the current user.
+az ad signed-in-user show
+az ad signed-in-user list-owned-objects
+
+# Gather information on another user.
+az ad user show --id user@email.org
+
+# Check a User's permissions.
 az ad user get-member-groups --id user@email.org
 
-# list available subscriptions
+# List Subscriptions available to the current User.
 az account list --refresh --output table
 
-# set a default subscription
-az account set --subscription subscription-uuid
+# Get the current User's default Subscription's ID.
+az account show --query id --output tsv
 
-# set a default resource group
-az configure --defaults group=resource-group
+# Get the current User's default Subscription.
+az account set --subscription subscription_uuid
 
-# get credentials for an aks cluster
-az aks get-credentials --resource-group resource-group --name cluster-name --overwrite-existing
+# Set the current User's default Resource Group.
+az configure --defaults group=resource_group_name
 
-# diagnose container registry connectivity issues
-# will run a hello-world image locally
-az acr check-health --name acr-name
+# Get the ID of a Service Principal.
+az ad sp list --display-name service_principal_name --query '[0].id' -o tsv
 
-# list helm charts in an acr
-az acr helm list -n acr-name -s acr-subscription
+# List available Locations.
+az account list-locations -o table
 
-# push a helm chart to an acr
-az acr helm push -n acr-name chart.tgz --force
+# Get a Resource Group's ID.
+az group show resource_group_name
 
-# disable connection verification
-# for proxies with doubtful certificates
+# Create an Access Token for the current User.
+az account get-access-token
+
+# Get a password from a KeyVault.
+az keyvault secret show --query value \
+  --name secret_name --vault-name key_vault_name
+
+# List LogAnalytics' Workspaces.
+az monitor log-analytics workspace list \
+  --resource-group resource_group_name \
+| jq -r '.[].name' -
+
+# Login to Azure DevOps with a PAT.
+az devops login --organization https://dev.azure.com/org_name
+
+# Get the status of an Azure DevOps Pipeline.
+# Give the '--organization' parameter, or use '--detect true' if running the
+# command from a git repository to have it guessed automatically.
+az pipelines build show --detect true -o tsv \
+  --project project_name --id pipeline_id --query result
+
+# Validate a bicep template to create a Deployment Group.
+az deployment group validate \
+  -n deployment_group_name -g resource_group_name \
+  -f template.bicep -p parameter1="value" parameter2="value"
+
+# Check what a bicep template would do.
+az deployment group what-if \
+  -n deployment_group_name -g resource_group_name \
+  -f template.bicep -p parameter1="value" parameter2="value"
+
+# Create a Deployment Group from a template.
+az deployment group create \
+  -n deployment_group_name -g resource_group_name \
+  -f template.bicep -p parameter1="value" parameter2="value"
+
+# Cancel the current operation on a Deployment Group.
+az deployment group cancel \
+  -n deployment_group_name -g resource_group_name
+
+# Delete a Deployment Group.
+az deployment group delete \
+  -n deployment_group_name -g resource_group_name
+
+# Login to an ACR.
+az acr login --name acr_name
+
+# Diagnose container registry connectivity issues.
+# Requires Docker being running.
+# Will run a hello-world image locally.
+az acr check-health -n acr_name -s subscription_uuid
+
+# List helm charts in an ACR.
+az acr helm list -n acr_name -s subscription_uuid
+
+# Get the 5 latest versions of a helm chart in an ACR.
+az acr helm list -n acr_name -s subscription_uuid --output json \
+| jq \
+    --arg CHART_REGEXP "kured" \
+    'to_entries | map(select(.key|test($CHART_REGEXP)))[].value[] | { version: .version, created: .created }' - \
+| yq -sy 'sort_by(.created) | reverse | .[0:5]' -
+
+# Push a helm chart to an ACR.
+az acr helm push -n acr_name chart.tgz --force
+
+# Get credentials for an AKS cluster.
+az aks get-credentials --overwrite-existing \
+  --resource-group resource_group_name --name cluster_name
+
+# Check if the current User is member of a given Group.
+az rest -u https://graph.microsoft.com/v1.0/me/checkMemberObjects \
+  -m post -b '{"ids":["group_id"]}'
+
+# Check if a Service Principal is member of a given Group.
+az rest -u 'https://graph.microsoft.com/v1.0/servicePrincipals/service_principal_id/checkMemberObjects' \
+  -m post -b '{"ids":["group_id"]}'
+
+# Query the Graph APIs for a specific Member in a Group.
+az rest -m get \
+  -u 'https://graph.microsoft.com/beta/groups/group_id/members?$search="displayName:group_display_name"&$select=displayName' \
+  --headers consistencylevel=eventual
+
+# Remove a Member from an AAD Group.
+# If '/$ref' is missing from the request, the user will be **deleted from AAD**
+# if the appropriate permissions are used, otherwise a '403 Forbidden' error is
+# returned.
+az rest -m delete \
+  -u 'https://graph.microsoft.com/beta/groups/group_id/members/member_id/$ref'
+
+# List the PATs of a User.
+# 'displayFilterOptions' are 'active' (default), 'all', 'expired' or 'revoked'.
+# If more then 20, results are paged and a 'continuationToken' will be returned.
+az rest -m get \
+  --headers Authorization='Bearer ey…pw' \
+  -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1'
+az rest … -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1&displayFilterOption=revoked&isSortAscending=false'
+az rest … -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \
+  --url-parameters api-version=7.1-preview.1 displayFilterOption=expired continuationToken='Hr…in='
+
+# Extend a PAT.
+# Works with expired PATs too.
+az rest \
+  -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1' \
+  -m put \
+  --headers \
+    Authorization='Bearer ey…pw' \
+    Content-Type='application/json' \
+  -b '{
+	  "authorizationId": "01234567-abcd-0987-fedc-0123456789ab",
+	  "validTo": "2021-12-31T23:46:23.319Z"
+    }'
+az rest … -b @file.json
+
+# Disable certificates check upon connection.
+# Use it for proxies with doubtful certificates.
 export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
 ```
 
+## APIs
+
+One can directly call the APIs with the `rest` command:
+
+```sh
+az rest -u https://graph.microsoft.com/v1.0/me/checkMemberObjects \
+  -m post -b "{\"ids\": [\"${GROUP_ID}\"]}"
+az rest -m delete \
+  -u "https://graph.microsoft.com/beta/groups/${GROUP_id}/members/${MEMBER_ID}/\$ref"
+```
+
+## Further readings
+
+- [Pat token APIs]
+
 ## Sources
 
 - [Install Azure CLI on macOS]
 - [Get started with Azure CLI]
 - [Sign in with Azure CLI]
 - [How to manage Azure subscriptions with the Azure CLI]
+- [Authenticate with an Azure container registry]
+- [Remove a member]
 
-
-[Get started with Azure CLI]: https://docs.microsoft.com/en-us/cli/azure/get-started-with-azure-cli
-[How to manage Azure subscriptions with the Azure CLI]: https://docs.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli
-[Install Azure CLI on macOS]: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-macos
-[Sign in with Azure CLI]: https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli
+[authenticate with an azure container registry]: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli
+[get started with azure cli]: https://docs.microsoft.com/en-us/cli/azure/get-started-with-azure-cli
+[how to manage azure subscriptions with the azure cli]: https://docs.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli
+[install azure cli on macos]: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-macos
+[pat token apis]: https://docs.microsoft.com/en-us/rest/api/azure/devops/tokens/pats/list?view=azure-devops-rest-7.1
+[remove a member]: https://docs.microsoft.com/en-us/graph/api/group-delete-members?view=graph-rest-1.0&tabs=http
+[sign in with azure cli]: https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli