# Azure CLI Queries (`az … --query …`) use the [JMESPath] query language for JSON. ## Table of contents 1. [TL;DR](#tldr) 1. [Installation](#installation) 1. [Extensions](#extensions) 1. [Pipelines](#pipelines) 1. [AKS](#aks) 1. [APIs](#apis) 1. [Further readings](#further-readings) 1. [Sources](#sources) ## TL;DR ```sh # Install the CLI. asdf plugin add 'azure-cli' && asdf install 'azure-cli' '2.43.0' brew install 'azure-cli' docker run -v "${HOME}/.azure:/root/.azure" 'mcr.microsoft.com/azure-cli:2.40.0' pip install 'azure-cli' pipx install 'azure-cli' # Disable certificates check upon connection. # Use it for proxies with doubtful certificates. export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1 # Login to Azure. az login az login -u 'username' -p 'password' az login --identity --username 'client_id__or__object_id__or__resource_id' az login --service-principal \ -u 'app_id' -p 'password_or_certificate' --tenant 'tenant_id' # Check the CLI status. az self-test # Gather information on the current user. az ad signed-in-user show az ad signed-in-user list-owned-objects # Gather information on another user. az ad user show --id 'user@email.org' # Check a User's permissions. az ad user get-member-groups --id 'user@email.org' # Get IDs of Service Principals from their Display Name. # id => object ID, appId => client ID. az ad sp list -o 'tsv' --display-name 'service_principal_name' --query '[].id' az ad sp list … --query '[].appId' # Get the Display Name of Service Principals from their object ID. az ad sp show --query 'displayName' -o 'tsv' \ --id '12345678-abcd-0987-fedc-567890abcdef' # Show information about an Application. # The ID must be an application id, object id or identifier uri. az ad app show --id '12345678-abcd-0987-fedc-567890abcdef' # Get the Display Name of an Application from its ID. az ad app show --query 'displayName' -o 'tsv' \ --id '12345678-abcd-0987-fedc-567890abcdef' # Get the Principal (Object) ID of a Managed Identity from its Name. az identity show --query 'principalId' -o 'tsv' \ --resource-group 'resource_group_name' --name 'managed_identity_name' # Get the name of a Managed Identity from its Principal (Object) ID. az identity list -o 'tsv' \ --query "[?(@.principalId=='managed_identity_principal_id')].name" # Get a Resource Group's ID. az group show 'resource_group_name' # List Subscriptions available to the current User. az account list --refresh --output 'table' # Get the current User's default Subscription's ID. az account show --query 'id' --output 'tsv' # Get the ID of a Subscription from its Name. az account show --query 'name' -o 'tsv' -s 'subscription_id' # Get the Name of a Subscription from its ID. az account show --query 'id' -o 'tsv' -n 'subscription_name' # Get the current User's default Subscription. az account set --subscription 'subscription_uuid__or__name' # Set the current User's default Resource Group. az configure --defaults 'group=resource_group_name' # List available Locations. az account list-locations -o 'table' # Create an Access Token for the current User. az account get-access-token az account get-access-token --query 'accessToken' -o 'tsv' # List and show role definitions. az role definition list --name 'role_display_name' az role definition list -g 'resource_group_name' --custom-role-only true # Create role definitions. az role definition create --role-definition 'full_json_definition' # Update role definitions. az role definition update --role-definition 'full_json_definition' az role definition update --role-definition <( \ az role definition list -g 'resource_group_name' --name 'role_display_name' \ | jq -Mc ' .[] | .assignableScopes += [ "/subscription/subscription_id/resourceGroups/resource_group_name" ] ' - \ ) # Delete role definitions. az role definition delete --name 'role_display_name' # List role assignments. az role assignment list az role assignment list --all az role assignment list --resource-group 'resource_group' az role assignment list … --scope 'scope_id' --role 'role_id_or_name' # List role assignments with scope for a User or Managed Identity. # By default, it will only show role assignments for the current subscription. az role assignment list --subscription 'subscription_id' \ --all --include-inherited --assignee 'user_or_managed_identity_object_id' \ --query '[].{role: roleDefinitionName, scope: scope}' -o 'tsv' # Give Principals permissions on Key Vaults. az keyvault set-policy -n 'key_vault_name' --object-id 'principal_object_id' \ --secret-permissions 'get' 'list' 'set' --certificate-permissions 'all' az keyvault set-policy -n 'key_vault_name' --spn 'service_principal_name' … az keyvault set-policy -n 'key_vault_name' --upn 'user_principal_name' … # List the names of all keys in Key Vaults. az keyvault key list --query '[].name' -o 'tsv' --vault-name 'key_vault_name' # Create or update passwords in Key Vaults. az keyvault secret set \ --vault-name 'key_vault_name' --name 'secret_name' --value 'plain_text' az keyvault secret set … --expires '2024-04-10T12:19:54Z' # Get passwords from Key Vaults. az keyvault secret show --query 'value' \ --name 'secret_name' --vault-name 'key_vault_name' # Show details of Disk Encryption Sets. az disk-encryption-set show -g 'resource_group_name' -n 'des_name' # Get Key ID and Access Policy of Disk Encryption Sets. az disk-encryption-set show --ids 'id' \ --query "{ \"keyId\": activeKey.keyUrl, \"accessPolicyId\": join('/', [activeKey.sourceVault.id, 'objectId', identity.principalId]) }" # List all the available SKUs for VMs. az vm list-skus az vm list-skus -l 'location' # List all the SKUs supporting an ephemeral OS disk. az vm list-skus -l 'location' -o tsv \ --query "[?capabilities[?name=='EphemeralOSDiskSupported' && value=='True']]" # List the Virtual Machine images available in Azure Marketplace. # Or check https://az-vm-image.info . # Suggested to use '--all' to avoid useless filtering at MSFT side. az vm image list --all az vm image list -l 'westus' --offer 'RHEL' -p 'RedHat' -s '8_5' --all # Show a Virtual Machine's details. az vm show -g 'resource_group_name' -n 'vm_name' # Delete a Virtual Machine. az vm delete -g 'resource_group_name' -n 'vm_name' # Assess updates in a Linux Virtual Machine. az vm assess-patches -g 'resource_group_name' -n 'vm_name' # Install security updates in a Linux Virtual Machine. # Do not reboot. # Max 4h of operation. az vm install-patches -g 'resource_group_name' -n 'vm_name' \ --maximum-duration 'PT4H' --reboot-settings 'Never' \ --classifications-to-include-linux 'Security' # Get the status of the Agent in a Virtual Machine. az vm get-instance-view -g 'resource_group_name' -n 'vm_name' \ --query 'instanceView.vmAgent.statuses[]' -o 'table' # Wait until a Virtual Machine satisfies a condition. az vm wait -g 'resource_group_name' -n 'vm_name' --created az vm wait … --updated --interval '5' --timeout '300' az vm wait … --custom "instanceView.statuses[?code=='PowerState/running']" az vm wait … --custom "instanceView.vmAgent.statuses[?code!='ProvisioningState/Updating']" # Wait for a Virtual Machine Agent to be Ready. az vm wait -g 'resource_group_name' -n 'vm_name' \ --custom "instanceView.vmAgent.statuses[?code=='ProvisioningState/succeeded']" # List all the available SKUs for PostgreSQL flexible DB servers. az postgres flexible-server list-skus --location 'westeurope' -o 'table' # List LogAnalytics' Workspaces. az monitor log-analytics workspace list --query '[].name' \ --resource-group 'resource_group_name' # List available Resource Providers. az provider list az provider list --expand # Enable a Resource Provider. az provider register -n 'Microsoft.Confluent' --accept-terms az provider register -n 'Microsoft.Automation' -m 'management_group_id' # List the available properties of the 'ContainerService' Resource Provider. az provider show -o 'tsv' --namespace 'Microsoft.ContainerService' \ --expand 'resourceTypes/aliases' --query 'resourceTypes[].aliases[].name' # Disable a Resource Provider. az provider unregister -n 'Microsoft.Confluent' # List available CLI extensions. az extension list-available --output 'table' # Add extensions to the CLI. az extension add --name 'extension_name' az extension add --source 'url__or__local_path' # Update extensions. az extension update --name 'extension_name' az extension add --source 'updated__url__or__local_path' # Remove installed extensions. az extension remove --name 'extension_name' # Validate a bicep template to create a Deployment Group. # Leverages the `bicep` utility. az deployment group validate \ -n 'deployment_group_name' -g 'resource_group_name' \ -f 'template.bicep' -p 'parameter1=value' parameter2="value" # Check what a bicep template would do. az deployment group what-if … # Create a Deployment Group from a template. az deployment group create … # Cancel the current operation on a Deployment Group. az deployment group cancel \ -n 'deployment_group_name' -g 'resource_group_name' # Delete a Deployment Group. az deployment group delete \ -n 'deployment_group_name' -g 'resource_group_name' # Delete Log Analytics Workspaces. az monitor log-analytics workspace delete -y -f 'y' \ -g 'resource_group_name' -n 'law_name' # Delete Disk Encryption Sets. az disk-encryption-set delete -g 'resource_group_name' -n 'des_name' # Login to an ACR. az acr login --name 'acr_name' # Diagnose container registry connectivity issues. # Requires Docker being running. # Will run a hello-world image locally. az acr check-health -n 'acr_name' -s 'subscription_uuid_or_name' # List helm charts in an ACR. az acr helm list -n 'acr_name' -s 'subscription_uuid_or_name' # Get the 5 latest versions of a helm chart in an ACR. az acr helm list -n 'acr_name' -s 'subscription_uuid_or_name' -o 'json' \ | jq \ --arg CHART_REGEXP 'chart_name_or_regex' \ 'to_entries | map(select(.key|test($CHART_REGEXP)))[].value[] | { version: .version, created: .created }' - \ | yq -sy 'sort_by(.created) | reverse | .[0:5]' - # Push a helm chart to an ACR. az acr helm push -n 'acr_name' 'chart.tgz' --force # List the available Features in a Subscription. az feature list # Show the details of a Feature. az feature show -n 'AKS-ExtensionManager' --namespace 'Microsoft.ContainerService' # List Policies. az policy definition list az policy definition list -o 'tsv' --query "[?(@.name=='policy_name')]" az policy definition list -o 'tsv' --query "[?(@.displayName=='policy_display_name')].name" # Show a Policy's definition. az policy definition show -n 'policy_name' # List Policies metadata. az policy metadata list # List Policy Initiatives. az policy set-definition list az policy set-definition list -o 'tsv' --query "[?(@.name=='initiative_name')]" az policy set-definition list --management-group 'management_group_id' \ -o 'tsv' --query "[?(@.displayName=='initiative_display_name')].name" # Show an Initiative's definition. az policy set-definition show -n 'initiative_name' # Show the servers in the default HTTP backend of an Application Gateway. az network application-gateway show-backend-health -o 'table' \ -g 'resource_group_name' -n 'agw_name' \ --query 'backendAddressPools[].backendHttpSettingsCollection[].servers[]' # Check if the current User is member of a given Group. az rest -u 'https://graph.microsoft.com/v1.0/me/checkMemberObjects' \ -m post -b '{"ids":["group_id"]}' # Check if a Service Principal is member of a given Group. az rest -u 'https://graph.microsoft.com/v1.0/servicePrincipals/service_principal_id/checkMemberObjects' \ -m post -b '{"ids":["group_id"]}' # Query the Graph APIs for a specific Member in a Group. az rest -m 'get' \ -u 'https://graph.microsoft.com/beta/groups/group_id/members?$search="displayName:group_display_name"&$select=displayName' \ --headers 'consistencylevel=eventual' # Remove a Member from an AAD Group. # If '/$ref' is missing from the request, the user will be **deleted from AAD** # if the appropriate permissions are used, otherwise a '403 Forbidden' error is # returned. az rest -m 'delete' \ -u 'https://graph.microsoft.com/beta/groups/group_id/members/member_id/$ref' # List a User's PATs. # 'displayFilterOptions' are 'active' (default), 'all', 'expired' or 'revoked'. # 'displayFilterOptions' can be negated ('!revoked'). # If more then 20, or up to 100 using the '$top' url parameter, results are # paged and a 'continuationToken' will be returned. az rest -m 'get' \ --headers Authorization='Bearer ey…pw' \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1' az rest … -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1&displayFilterOption=revoked&isSortAscending=false' az rest … -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \ --url-parameters 'api-version=7.1-preview.1' 'displayFilterOption=expired' continuationToken='Hr…in=' # Create PATs. az rest -m 'post' \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \ --url-parameters 'api-version=7.1-preview.1' \ --headers Authorization='Bearer ey…pw' Content-Type='application/json' \ -b '{ "displayName": "new-pat", "scope": "pat-scope", "validTo": "2021-12-31T23:46:23.319Z", "allOrgs": false }' # Extend PATs. # Works with expired PATs too, but not revoked ones. az rest -m 'put' \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \ --url-parameters 'api-version=7.1-preview.1' \ --headers Authorization='Bearer ey…pw' Content-Type='application/json' \ -b '{ "authorizationId": "01234567-abcd-0987-fedc-0123456789ab", "validTo": "2021-12-31T23:46:23.319Z" }' az rest … -b @'file.json' # Revoke PATs. az rest -m 'delete' \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \ --url-parameters \ 'api-version=7.1-preview.1' \ 'authorizationId=01234567-abcd-0987-fedc-0123456789ab' \ --headers Authorization='Bearer ey…pw' # Automatically renew the first 100 non revoked Devops PATs. # The others are in the next pages and not being able to deactivate pagination # just su*ks bad. # Assumes the command uses the GNU version of each tool (see `date`). ORGANIZATION_NAME='organization_name' \ TOKEN="$(az account get-access-token --query 'accessToken' -o 'tsv')" \ VALID_TO="$(date -d '+13 days' '+%FT%T.00Z')" \ && az rest -m 'get' \ -u "https://vssps.dev.azure.com/${ORGANIZATION_NAME}/_apis/tokens/pats" \ --url-parameters \ 'api-version=7.1-preview.1' \ 'displayFilterOption=!revoked' \ '$top=100' \ --headers "Authorization=Bearer ${TOKEN}" \ --query 'patTokens[].authorizationId' \ -o 'tsv' \ | parallel -qr -j '100%' \ az rest -m 'put' \ -u "https://vssps.dev.azure.com/${ORGANIZATION_NAME}/_apis/tokens/pats" \ --url-parameters \ 'api-version=7.1-preview.1' \ --headers \ "Authorization=Bearer ${TOKEN}" \ 'Content-Type=application/json' \ -b "{ \"authorizationId\": \"{}\", \"validTo\": \"${VALID_TO}\" }" ``` ## Installation ```sh pip install 'azure-cli' brew install 'azure-cli' asdf plugin add 'azure-cli' && asdf install 'azure-cli' '2.43.0' docker run -it -v "${HOME}/.ssh:/root/.ssh" 'mcr.microsoft.com/azure-cli' ``` ## Extensions The Azure CLI can load _extensions_, practically Python wheels that aren't shipped as part of the CLI itself but run as CLI commands.
You could create your own CLI interface. ```sh # List available CLI extensions. az extension list-available --output 'table' # Add extensions to the CLI. az extension add --name 'extension_name' az extension add --source 'url__or__local_path' # Update extensions. az extension update --name 'extension_name' az extension add --source 'updated__url__or__local_path' # Remove installed extensions. az extension remove --name 'extension_name' ``` When you run a command for an extension which is not currently installed, CLI recognizes it and tries to automatically install the extension. This feature is called _dynamic install_, and is enabled by default since version 2.12.0. ```sh # Configure if and how to use the 'dynamic install' feature. az config set 'extension.use_dynamic_install=yes_prompt' az config set 'extension.use_dynamic_install=yes_without_prompt' az config set 'extension.use_dynamic_install=no' az config set 'extension.run_after_dynamic_install=no' ``` ## Pipelines See [DevOps]. ## AKS See [AKS]. ## APIs One can directly call the APIs with the `rest` command: ```sh az rest \ -m 'post' \ -u 'https://graph.microsoft.com/v1.0/me/checkMemberObjects' \ --headers Authorization='Bearer ey…pw' \ -b '{"ids": ["group_id"]}' az rest \ -m 'delete' \ -u 'https://graph.microsoft.com/beta/groups/group_id/members/member_id/$ref' az rest \ -m 'put' \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1' \ --headers \ 'Authorization=Bearer ey…pw' \ 'Content-Type=application/json' \ -b '{ "authorizationId": "01234567-abcd-0987-fedc-0123456789ab", "validTo": "2021-12-31T23:46:23.319Z" }' az rest \ -m 'get' \ -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \ --url-parameters \ 'api-version=7.1-preview.1' \ 'displayFilterOption=expired' \ 'continuationToken=Hr…in=' ``` ## Further readings - [PAT APIs] - The [`az` command reference][az reference] - The [`az bicep` command group][az bicep] - [Devops CLI extension] ## Sources All the references in the [further readings] section, plus the following: - [Install Azure CLI on macOS] - [Get started with Azure CLI] - [Sign in with Azure CLI] - [How to manage Azure subscriptions with the Azure CLI] - [Authenticate with an Azure container registry] - [Remove a member] - [Create and manage Azure Pipelines from the command line] [authenticate with an azure container registry]: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli [az reference]: https://learn.microsoft.com/en-us/cli/azure/reference-index [get started with azure cli]: https://learn.microsoft.com/en-us/cli/azure/get-started-with-azure-cli [how to manage azure subscriptions with the azure cli]: https://learn.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli [install azure cli on macos]: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-macos [pat apis]: https://learn.microsoft.com/en-us/rest/api/azure/devops/tokens/pats [remove a member]: https://learn.microsoft.com/en-us/graph/api/group-delete-members?view=graph-rest-1.0&tabs=http [sign in with azure cli]: https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli [further readings]: #further-readings [aks]: aks.md [az bicep]: bicep.md#tldr [devops]: devops.md [devops cli extension]: devops.md#tldr [jmespath]: ../../jmespath.md [create and manage azure pipelines from the command line]: https://devblogs.microsoft.com/devops/create-and-manage-azure-pipelines-from-the-command-line/