Azure Cheatsheet

Getting Started

Install latest version of Azure CLI on Mac

brew update && brew install azure-cli


Install PowerShell

brew install --cask powershell

Run a powershell terminal with:



Install Azure PowerShell module

For the current user:

if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
    Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
      'Az modules installed at the same time is not supported.')
} else {
    Install-Module -Name Az -AllowClobber -Scope CurrentUser


Get authenticated in Powershell


Install latest version of Azure CLI on linux

curl -sL | sudo bash



Authenticate via the CLI

Run this command to get authenticated:

az login

This will result in a web browser opening, or a URL prompt. Navigating to this url will prompt you for a code, which you've been provided in the command line. Paste it in, click next, and select the proper account.


Info Gathering

List accounts

az account list

Get tenant id

az account list | jq '.[].tenantId'

List tenants

az account tenant list

List Resource Groups

az group list | jq -r '.[].name'


Get Subscription via Powershell



Set Subscription via Powershell

Set-AzureSubscription -Id [Subscription ID]


List all VMs

az vm list


Blob Storage

List all storage accounts and output in a table format:

az storage account list -o table

List all storage accounts and get storage account names:

az storage account list -o json | jq -r '.[].name'

You can assign one of the account names to an env var if you'd like:

export AZURE_STORAGE_ACCOUNT=<storage account name from output>

Get storage keys

If you set the env var:

az storage account keys list -n $AZURE_STORAGE_ACCOUNT

You can assign one of the keys to an env var if you'd like:

export AZURE_STORAGE_KEY='<your key from the output of the previous command>'

List storage containers

az storage container list --account-name $AZURE_STORAGE_ACCOUNT --account-key "$AZURE_STORAGE_KEY"

List storage container contents

az storage blob list --container-name <name of storage container from previous command> --account-name $AZURE_STORAGE_ACCOUNT --account-key $AZURE_STORAGE_KEY


List blob names

az storage blob list --container-name <name of storage container from previous command> --account-name $AZURE_STORAGE_ACCOUNT --account-key $AZURE_STORAGE_KEY | jq '.[].name'

Azure Kubernetes (k8s)

Get available versions of k8s in a region

REGION=westus2 # This will vary depending on the region you're using
az aks get-versions --location $REGION -o table


List managed k8s clusters

az aks list


Get Resource Group Name for clusters

AZ_RESOURCE_GROUP_NAME=$(az aks list | jq -r '.[].resourceGroup')

Get Cluster Name

AZ_CLUSTER_NAME=$(az aks list | jq -r '.[].name')

Configure kubectl

This is pretty awesome, good job Microsoft:

az aks get-credentials --resource-group $AZ_RESOURCE_GROUP_NAME --name $AZ_CLUSTER_NAME


Security Auditing

ScoutSuite will generate an HTML report outlining various issues that exist in the configuration for a given account.


git clone
cd ScoutSuite
pipenv --python 3
pipenv shell
pip install -r requirements.txt


python azure --cli



git clone
cd PowerZure

# Install required modules
Install-Module MSOnline -Force
Install-Module AzureAD -Force
Install-Module AzureADPreview -Force

# Authenticate

# Import PowerZure
ipmo ./PowerZure.ps1

Install-Module Connect-AzAccount
Set-AzureSubscription -Id [Subscription ID]
# Enumerate all roles
# Enumerate resources the current user has access to

Resources: - fix the weird error that comes up for Importing the AzureADPreview module - fix missing modules like Get-AzureADDirectoryRole

Show all functions

powerzure -h 

Get help for a particular function

For example:

get-help Get-AzureTargets

Get all content from all KeyVaults

Show-AzureKeyVaultContent -All

Resource: - PowerZure general usage info

Azure AD

List all applications

az ad app list --output=table --query='[].{Name:displayName,URL:homepage}'



View all VMSS in a subscription

Simply navigate to this page and use the magical Try it button to use the REST API to grab this info. Neat!


az vmss list

Get VMSS by name and associated resource group

az vmss list | jq '.[].name, .[].resourceGroup'

List vms in a VMSS

az vmss list-instances -n $VMSS_NAME -g $RESOURCE_GROUP


Get computer name of vms in a VMSS

az vmss list-instances -n $VMSS_NAME -g $RESOURCE_GROUP | jq '.[].osProfile.computerName'

Run command in vm in a VMSS

az vmss run-command invoke -g $RESOURCE_GROUP -n $VMSS_NAME --command-id RunShellScript --instance-id 0 --scripts 'echo $1 $1' --parameters hello world

Add SSH key to VMSS via Powershell

Please not that the Az module replaces the AzureRM module, and this documentation reflects that.

Before opening up powershell, generate an ssh key:

ssh-keygen -m PEM -t rsa -b 4096 -f ~/.ssh/key-name.pem

Run pwsh and let the powershell begin:

# Import required module
Import-Module Az.Compute

Get-AzVM -ResourceGroupName "ResourceGroup11" -Name "VirtualMachine07"

$VMSS = New-AzureRmVmssConfig
Add-AzVMSshPublicKey -VM $VirtualMachine -KeyData "MIIDszCCApugAwIBAgIJALBV9YJCF/tAMA0GCSq12Ib3DQEB21QUAMEUxCzAJBgNV" -Path "/home/admin/.ssh/authorized_keys"

If you run into issues with importing the module, run this command:

Install-Module -Name Az -AllowClobber -Scope CurrentUser

and restart powershell.

Resources: - doc from microsoft to create an ssh key pair - cli args - the hero that mentions that AzureRM doesn't work on Mac OS - for module import issue