# Azure CLI ## TL;DR ```sh # Install the CLI. brew install azure-cli asdf plugin add azure-cli && asdf install azure-cli 2.37.0 # Login to Azure. az login az login -u username -p password az login --service-principal -u app_id -p password_or_certificate --tenant tenant_id az login --identity --username client_id # or object_id or resource_id # Gather information on the current user. az ad signed-in-user show az ad signed-in-user list-owned-objects # Gather information on another user. az ad user show --id user@email.org # Check a User's permissions. az ad user get-member-groups --id user@email.org # List Subscriptions available to the current User. az account list --refresh --output table # Get the current User's default Subscription's ID. az account show --query id --output tsv # Get the current User's default Subscription. az account set --subscription subscription_uuid # Set the current User's default Resource Group. az configure --defaults group=resource_group_name # Get the ID of a Service Principal. az ad sp list --display-name service_principal_name --query '[0].id' -o tsv # List available Locations. az account list-locations -o table # Get a Resource Group's ID. az group show resource_group_name # Create an Access Token for the current User. az account get-access-token # Get a password from a KeyVault. az keyvault secret show --query value \ --name secret_name --vault-name key_vault_name # List LogAnalytics' Workspaces. az monitor log-analytics workspace list \ --resource-group resource_group_name \ | jq -r '.[].name' - # Login to Azure DevOps with a PAT. az devops login --organization https://dev.azure.com/org_name # Get the status of an Azure DevOps Pipeline. # Give the '--organization' parameter, or use '--detect true' if running the # command from a git repository to have it guessed automatically. az pipelines build show --detect true -o tsv \ --project project_name --id pipeline_id --query result # Validate a bicep template to create a Deployment Group. az deployment group validate \ -n deployment_group_name -g resource_group_name \ -f template.bicep -p parameter1="value" parameter2="value" # Check what a bicep template would do. az deployment group what-if \ -n deployment_group_name -g resource_group_name \ -f template.bicep -p parameter1="value" parameter2="value" # Create a Deployment Group from a template. az deployment group create \ -n deployment_group_name -g resource_group_name \ -f template.bicep -p parameter1="value" parameter2="value" # Cancel the current operation on a Deployment Group. az deployment group cancel \ -n deployment_group_name -g resource_group_name # Delete a Deployment Group. az deployment group delete \ -n deployment_group_name -g resource_group_name # Login to an ACR. az acr login --name acr_name # Diagnose container registry connectivity issues. # Requires Docker being running. # Will run a hello-world image locally. az acr check-health -n acr_name -s subscription_uuid # List helm charts in an ACR. az acr helm list -n acr_name -s subscription_uuid # Get the 5 latest versions of a helm chart in an ACR. az acr helm list -n acr_name -s subscription_uuid --output json \ | jq \ --arg CHART_REGEXP "kured" \ 'to_entries | map(select(.key|test($CHART_REGEXP)))[].value[] | { version: .version, created: .created }' - \ | yq -sy 'sort_by(.created) | reverse | .[0:5]' - # Push a helm chart to an ACR. az acr helm push -n acr_name chart.tgz --force # Get credentials for an AKS cluster. az aks get-credentials --overwrite-existing \ --resource-group resource_group_name --name cluster_name # Check if the current User is member of a given Group. az rest -u https://graph.microsoft.com/v1.0/me/checkMemberObjects \ -m post -b '{"ids":["group_id"]}' # Check if a Service Principal is member of a given Group. az rest -u 'https://graph.microsoft.com/v1.0/servicePrincipals/service_principal_id/checkMemberObjects' \ -m post -b '{"ids":["group_id"]}' # Query the Graph APIs for a specific Member in a Group. az rest -m get \ -u 'https://graph.microsoft.com/beta/groups/group_id/members?$search="displayName:group_display_name"&$select=displayName' \ --headers consistencylevel=eventual # Remove a Member from an AAD Group. # If '/$ref' is missing from the request, the user will be **deleted from AAD** # if the appropriate permissions are used, otherwise a '403 Forbidden' error is # returned. az rest -m delete \ -u 'https://graph.microsoft.com/beta/groups/group_id/members/member_id/$ref' # List the PATs of a User. # 'displayFilterOptions' are 'active' (default), 'all', 'expired' or 'revoked'. # If more then 20, results are paged and a 'continuationToken' will be returned. az rest -m get \ --headers Authorization='Bearer ey…pw' \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1' az rest … -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1&displayFilterOption=revoked&isSortAscending=false' az rest … -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \ --url-parameters api-version=7.1-preview.1 displayFilterOption=expired continuationToken='Hr…in=' # Extend a PAT. # Works with expired PATs too. az rest \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1' \ -m put \ --headers \ Authorization='Bearer ey…pw' \ Content-Type='application/json' \ -b '{ "authorizationId": "01234567-abcd-0987-fedc-0123456789ab", "validTo": "2021-12-31T23:46:23.319Z" }' az rest … -b @file.json # Disable certificates check upon connection. # Use it for proxies with doubtful certificates. export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1 ``` ## APIs One can directly call the APIs with the `rest` command: ```sh az rest \ -u https://graph.microsoft.com/v1.0/me/checkMemberObjects \ --headers Authorization='Bearer ey…pw' \ -m post \ -b '{"ids": ["group_id"]}' az rest \ -u "https://graph.microsoft.com/beta/groups/group_id/members/member_id/\$ref" \ -m delete az rest \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1' \ -m put \ --headers \ Authorization='Bearer ey…pw' \ Content-Type='application/json' \ -b '{ "authorizationId": "01234567-abcd-0987-fedc-0123456789ab", "validTo": "2021-12-31T23:46:23.319Z" }' ``` ## Further readings - [Pat token APIs] ## Sources - [Install Azure CLI on macOS] - [Get started with Azure CLI] - [Sign in with Azure CLI] - [How to manage Azure subscriptions with the Azure CLI] - [Authenticate with an Azure container registry] - [Remove a member] [authenticate with an azure container registry]: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli [get started with azure cli]: https://docs.microsoft.com/en-us/cli/azure/get-started-with-azure-cli [how to manage azure subscriptions with the azure cli]: https://docs.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli [install azure cli on macos]: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-macos [pat token apis]: https://docs.microsoft.com/en-us/rest/api/azure/devops/tokens/pats/list?view=azure-devops-rest-7.1 [remove a member]: https://docs.microsoft.com/en-us/graph/api/group-delete-members?view=graph-rest-1.0&tabs=http [sign in with azure cli]: https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli