Azure CLI

azure cli usage examples

# version info
az -v

# help
az -h

# find examples
az find "az functionapp list"

# interactive login
az login

# log in with a service principal using client secret.
az login --service-principal -u http://azure-cli-2019-05-09-16-09-40 -p '[CLIENT_SECRET_HERE]' --tenant brianpfeilgmail.onmicrosoft.com

az logout

az account show
az account show | jq '.tenantId'

TENANT_ID=$(az account show --query tenantId --output tsv)

az account list
az account get-access-token

az account list-locations

# list account fields in table format
az account list --output table --query '[].{Name:name, SubscriptionId:id, TenantId:tenantId}'


# details of signed in user
az ad signed-in-user show

# ad
az ad -h

# ad service principals
az ad sp -h

# create a service principal and configure its access to Azure
az ad sp create-for-rbac

# list service principals
az ad sp list

# list service principals with subset of properties
az ad sp list --query "[].{id:appId, tenant:appOwnerTenantId, name:displayName}"

# list role assignments for service principal
az role assignment list --assignee 'http://azure-cli-2019-05-09-16-09-40'

# list role assignments for user (user sign-in name)
az role assignment list --assignee 'dev01@brianpfeilgmail.onmicrosoft.com'

# list role assignments for user (object id)
az role assignment list --assignee '38d35c72-5a26-464c-bbb3-c4487a1d4779'

# list role assignments for service principal
az role assignment list --assignee "http://service-principal-01"

# reset service principal password.  if you forgot or lost it, this is the only way to get it.
az ad sp credential reset --name "http://service-principal-01"

# output
# {
#   "appId": "00133c8e-a08e-490e-ae7c-872ea2debf1e",
#   "name": "http://service-principal-01",
#   "password": "09tGSBcRsl_Gml7DI7VkRniFu_r_xxxxxx",
#   "tenant": "b0579be4-503f-48ca-9bd2-ca22100857dd"
# }

# login with service principal
az login --service-principal --username "http://service-principal-01" --password "09tGSBcRsl_Gml7DI7VkRniFu_r_xxxxxx" --tenant "b0579be4-503f-48ca-9bd2-ca22100857dd"

# get access token (bearer)
# NOTE: must be logged in with `service-principal-01` above for this example
# or may need to add client id to authorize application.  see following screenshot
# <https://www.evernote.com/l/AAFJLMG88QhDgqehvtS8P-qkVuCcmFFUhCMB/image.png>
ACCESS_TOKEN=$(az account get-access-token --resource 'https://brianpfeilmyfn01.azurewebsites.net')


# call endpoint protected by azure ad.  e.g. functions function endpoint
curl --header "Authorization: Bearer ${ACCESS_TOKEN}" https://brianpfeilmyfn01.azurewebsites.net/api/HttpExample

# show service principal details
az ad sp show --id "http://service-principal-01"

# get access token (Bearer) that can be used as `Authorization` header
# current user
az account get-access-token

# for specific resource
az account get-access-token --resource 'https://vault.azure.net'

# list app registrations
az ad app list --query '[].{displayName: displayName}' --output table

# create resource group
az group create --name "group01" --location eastus

# list resource group names
az group list | jq '.[].name'

# delete resource group
az group delete --name "group01"

# deploy arm template examples
az group deployment create --name "my-deployment-01" --resource-group "my-resource-group-01"   --template-file template.json --parameters @parameters.json

az group deployment create   --name cosmosdbaccountdeployment01   --resource-group group01   --template-file azure-cosmos-db-account.json   --parameters name="account01" location="eastus" locationName="East US" defaultExperience="DocumentDB"

# interactive/repl mode.  immediately exits / doesn't work as of 2019-05-14
az interactive


# list all resources
az resource list

az role assignment list

az role definition list

az role definition list --custom-role-only true --output json | jq '.[] | {"roleName":.roleName, "roleType":.roleType}'
az role definition list | jq '.[].description'

# list storage account
az storage account list | jq '.[].name'