# Azure CLI 1. [TL;DR](#tldr) 2. [APIs](#apis) 3. [Further readings](#further-readings) 4. [Sources](#sources) ## TL;DR ```sh # Install the CLI. brew install 'azure-cli' asdf plugin add 'azure-cli' && asdf install 'azure-cli' '2.37.0' # Login to Azure. az login az login -u 'username' -p 'password' az login --service-principal -u 'app_id' -p 'password_or_certificate' --tenant 'tenant_id' az login --identity --username 'client_id__or__object_id__or__resource_id' # Gather information on the current user. az ad signed-in-user show az ad signed-in-user list-owned-objects # Gather information on another user. az ad user show --id 'user@email.org' # Check a User's permissions. az ad user get-member-groups --id 'user@email.org' # Get the ID of a Service Principal from its Display Name. az ad sp list --display-name 'service_principal_name' --query 'id' -o 'tsv' # Get the Display Name of a Service Principal from its ID. az ad sp show -o 'tsv' \ --id '12345678-abcd-0987-fedc-567890abcdef' --query 'displayName' # Get a Resource Group's ID. az group show 'resource_group_name' # List Subscriptions available to the current User. az account list --refresh --output 'table' # Get the current User's default Subscription's ID. az account show --query 'id' --output 'tsv' # Get the current User's default Subscription. az account set --subscription 'subscription_uuid_or_name' # Set the current User's default Resource Group. az configure --defaults 'group=resource_group_name' # List available Locations. az account list-locations -o 'table' # Create an Access Token for the current User. az account get-access-token # Get a password from a KeyVault. az keyvault secret show --query 'value' \ --name 'secret_name' --vault-name 'key_vault_name' # List LogAnalytics' Workspaces. az monitor log-analytics workspace list \ --resource-group 'resource_group_name' \ | jq -r '.[].name' - # Login to Azure DevOps with a PAT. az devops login --organization 'https://dev.azure.com/org_name' # Get the status of an Azure DevOps Pipeline. # Give the '--organization' parameter, or use '--detect true' if running the # command from a git repository to have it guessed automatically. az pipelines build show --detect true -o 'tsv' \ --project 'project_name' --id 'pipeline_id' --query 'result' # Validate a bicep template to create a Deployment Group. az deployment group validate \ -n 'deployment_group_name' -g 'resource_group_name' \ -f 'template.bicep' -p 'parameter1=value' parameter2="value" # Check what a bicep template would do. az deployment group what-if … # Create a Deployment Group from a template. az deployment group create … # Cancel the current operation on a Deployment Group. az deployment group cancel \ -n 'deployment_group_name' -g 'resource_group_name' # Delete a Deployment Group. az deployment group delete \ -n 'deployment_group_name' -g 'resource_group_name' # Login to an ACR. az acr login --name 'acr_name' # Diagnose container registry connectivity issues. # Requires Docker being running. # Will run a hello-world image locally. az acr check-health -n 'acr_name' -s 'subscription_uuid_or_name' # List helm charts in an ACR. az acr helm list -n 'acr_name' -s 'subscription_uuid_or_name' # Get the 5 latest versions of a helm chart in an ACR. az acr helm list -n 'acr_name' -s 'subscription_uuid_or_name' -o 'json' \ | jq \ --arg CHART_REGEXP 'chart_name_or_regex' \ 'to_entries | map(select(.key|test($CHART_REGEXP)))[].value[] | { version: .version, created: .created }' - \ | yq -sy 'sort_by(.created) | reverse | .[0:5]' - # Push a helm chart to an ACR. az acr helm push -n 'acr_name' 'chart.tgz' --force # Get credentials for an AKS cluster. az aks get-credentials --overwrite-existing \ --resource-group 'resource_group_name' --name 'cluster_name' az aks get-credentials --overwrite-existing --admin \ --resource-group 'resource_group_name' --name 'cluster_name' # Check if the current User is member of a given Group. az rest -u 'https://graph.microsoft.com/v1.0/me/checkMemberObjects' \ -m post -b '{"ids":["group_id"]}' # Check if a Service Principal is member of a given Group. az rest -u 'https://graph.microsoft.com/v1.0/servicePrincipals/service_principal_id/checkMemberObjects' \ -m post -b '{"ids":["group_id"]}' # Query the Graph APIs for a specific Member in a Group. az rest -m 'get' \ -u 'https://graph.microsoft.com/beta/groups/group_id/members?$search="displayName:group_display_name"&$select=displayName' \ --headers 'consistencylevel=eventual' # Remove a Member from an AAD Group. # If '/$ref' is missing from the request, the user will be **deleted from AAD** # if the appropriate permissions are used, otherwise a '403 Forbidden' error is # returned. az rest -m 'delete' \ -u 'https://graph.microsoft.com/beta/groups/group_id/members/member_id/$ref' # List the PATs of a User. # 'displayFilterOptions' are 'active' (default), 'all', 'expired' or 'revoked'. # If more then 20, results are paged and a 'continuationToken' will be returned. az rest -m 'get' \ --headers Authorization='Bearer ey…pw' \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1' az rest … -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1&displayFilterOption=revoked&isSortAscending=false' az rest … -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \ --url-parameters 'api-version=7.1-preview.1' 'displayFilterOption=expired' continuationToken='Hr…in=' # Extend a PAT. # Works with expired PATs too. az rest \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1' \ -m 'put' \ --headers \ Authorization='Bearer ey…pw' \ Content-Type='application/json' \ -b '{ "authorizationId": "01234567-abcd-0987-fedc-0123456789ab", "validTo": "2021-12-31T23:46:23.319Z" }' az rest … -b @'file.json' # Disable certificates check upon connection. # Use it for proxies with doubtful certificates. export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1 ``` ## APIs One can directly call the APIs with the `rest` command: ```sh az rest \ -u 'https://graph.microsoft.com/v1.0/me/checkMemberObjects' \ --headers Authorization='Bearer ey…pw' \ -m 'post' \ -b '{"ids": ["group_id"]}' az rest \ -u 'https://graph.microsoft.com/beta/groups/group_id/members/member_id/$ref' \ -m 'delete' az rest \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1' \ -m 'put' \ --headers \ 'Authorization=Bearer ey…pw' \ 'Content-Type=application/json' \ -b '{ "authorizationId": "01234567-abcd-0987-fedc-0123456789ab", "validTo": "2021-12-31T23:46:23.319Z" }' az rest \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \ -m 'get' --url-parameters \ 'api-version=7.1-preview.1' \ 'displayFilterOption=expired' \ 'continuationToken=Hr…in=' ``` ## Further readings - [Pat token APIs] ## Sources - [Install Azure CLI on macOS] - [Get started with Azure CLI] - [Sign in with Azure CLI] - [How to manage Azure subscriptions with the Azure CLI] - [Authenticate with an Azure container registry] - [Remove a member] [authenticate with an azure container registry]: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli [get started with azure cli]: https://docs.microsoft.com/en-us/cli/azure/get-started-with-azure-cli [how to manage azure subscriptions with the azure cli]: https://docs.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli [install azure cli on macos]: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-macos [pat token apis]: https://docs.microsoft.com/en-us/rest/api/azure/devops/tokens/pats/list?view=azure-devops-rest-7.1 [remove a member]: https://docs.microsoft.com/en-us/graph/api/group-delete-members?view=graph-rest-1.0&tabs=http [sign in with azure cli]: https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli