The Azure CLI (az) is the command-line tool for managing Azure resources. This cheatsheet covers 65+ commands organized by resource type — from logging in and managing resource groups to deploying VMs, configuring networking, and monitoring costs. If you're still doing everything in the Azure portal, this is your sign to level up.
⚙️ The Azure CLI Workflow
Every Azure task follows a similar pattern:
login → create resource group → create resources → manage → monitor → clean up
The portal is great for exploring. The CLI is how you get fast, repeatable, and scriptable. Once you learn these commands, you'll wonder why you ever clicked through the portal for routine tasks.
🚀 Getting Started
Install the CLI, sign in, and make sure you're pointed at the right subscription.
| Command | What It Does |
|---|---|
az --version | Shows your installed Azure CLI version |
az upgrade | Updates Azure CLI to the latest version |
az login | Opens a browser to sign in to your Azure account |
az login --tenant <tenant-id> | Sign in to a specific Azure AD/Entra ID tenant |
az account show --output table | Shows your current subscription and tenant |
az account list --output table | Lists all subscriptions you have access to |
az account set --subscription <name-or-id> | Switches to a different subscription |
az configure --defaults location=canadacentral | Sets default values so you don't have to repeat them |
az interactive | Launches interactive mode with autocomplete and docs |
First thing after install: run az account show to confirm you're targeting the right subscription. Deploying resources to the wrong subscription is a mistake you only make once. 😅
Cloudlearn - Hands-On AWS & Azure Training
Hands-on AWS & Azure labs with real-time skill verification. Close skill gaps, track progress, and prove training ROI to leadership.
📦 Resource Groups
Every resource in Azure lives in a resource group. Think of it as a folder for related resources.
| Command | What It Does |
|---|---|
az group create --name myRG --location canadacentral | Creates a new resource group |
az group list --output table | Lists all resource groups in the current subscription |
az group show --name myRG | Shows details of a specific resource group |
az group exists --name myRG | Returns true/false — useful in scripts |
az group delete --name myRG --yes --no-wait | Deletes a resource group and everything in it |
az group delete deletes EVERYTHING inside the resource group — VMs, databases, storage, all of it. The --yes flag skips the confirmation prompt. Use it carefully. 🔥
🖥️ Virtual Machines
VMs are the bread and butter of Azure infrastructure. These commands cover the full lifecycle.
| Command | What It Does |
|---|---|
az vm create --name myVM -g myRG --image Ubuntu2204 --size Standard_B1s --admin-username azureuser --generate-ssh-keys | Creates an Ubuntu VM with SSH keys |
az vm list -g myRG --output table | Lists all VMs in a resource group |
az vm show --name myVM -g myRG | Shows full details of a VM |
az vm start --name myVM -g myRG | Starts a stopped VM |
az vm stop --name myVM -g myRG | Stops a VM (OS shuts down but you're still billed 💸) |
az vm deallocate --name myVM -g myRG | Deallocates the VM — this is what stops billing ✅ |
az vm restart --name myVM -g myRG | Restarts a running VM |
az vm delete --name myVM -g myRG --yes | Deletes a VM (doesn't delete disks or NICs by default) |
az vm resize --name myVM -g myRG --size Standard_B2s | Changes the VM size (requires a restart) |
az vm list-sizes --location canadacentral --output table | Lists all available VM sizes in a region |
az vm list-ip-addresses --name myVM -g myRG --output table | Shows public and private IPs for a VM |
az vm open-port --name myVM -g myRG --port 80 --priority 900 | Opens a port in the VM's NSG |
az vm run-command invoke --name myVM -g myRG --command-id RunShellScript --scripts "apt update" | Runs a command inside the VM remotely |
az vm stop is NOT the same as az vm deallocate. If you just stop a VM, Azure keeps the compute allocated and you keep paying 💸. Always deallocate to stop charges. This catches people every month.
🌐 Networking
VNets, subnets, NSGs, and public IPs — the foundation of Azure networking.
| Command | What It Does |
|---|---|
az network vnet create --name myVNet -g myRG --address-prefixes 10.0.0.0/16 --subnet-name default --subnet-prefixes 10.0.0.0/24 | Creates a VNet with one subnet |
az network vnet list -g myRG --output table | Lists VNets in a resource group |
az network vnet subnet create --vnet-name myVNet -g myRG --name backend --address-prefixes 10.0.1.0/24 | Adds a subnet to an existing VNet |
az network vnet subnet list --vnet-name myVNet -g myRG --output table | Lists all subnets in a VNet |
az network nsg create --name myNSG -g myRG | Creates a Network Security Group |
az network nsg rule create --nsg-name myNSG -g myRG --name AllowHTTP --priority 100 --destination-port-ranges 80 --access Allow --protocol Tcp | Adds an inbound rule to allow HTTP traffic |
az network public-ip create --name myPublicIP -g myRG --sku Standard | Creates a static public IP address |
az network nic create --name myNIC -g myRG --vnet-name myVNet --subnet default --network-security-group myNSG --public-ip-address myPublicIP | Creates a NIC with all the networking attached |
When you're setting up a new environment or troubleshooting connectivity. In production, use Terraform or Bicep for networking — but know these commands for quick debugging. 🔍
💾 Storage
Azure Storage Accounts handle blobs, files, tables, and queues.
| Command | What It Does |
|---|---|
az storage account create --name mystorageacct -g myRG --sku Standard_LRS | Creates a storage account (name must be globally unique) |
az storage account list -g myRG --output table | Lists storage accounts |
az storage account show-connection-string --name mystorageacct -g myRG | Gets the connection string (you'll need this for apps) 🔑 |
az storage container create --name mycontainer --account-name mystorageacct | Creates a blob container |
az storage blob upload --container-name mycontainer --account-name mystorageacct --file ./myfile.txt --name myfile.txt | Uploads a file to blob storage |
az storage blob list --container-name mycontainer --account-name mystorageacct --output table | Lists blobs in a container |
az storage blob download --container-name mycontainer --account-name mystorageacct --name myfile.txt --file ./downloaded.txt | Downloads a blob to your local machine |
Storage account names must be globally unique, 3-24 characters, and lowercase letters/numbers only. Save yourself the frustration — use a naming convention like st<project><env><region> (e.g., stappdev01cc). 📝
🌍 Web Apps and App Service
Deploy and manage web applications on Azure App Service.
| Command | What It Does |
|---|---|
az appservice plan create --name myPlan -g myRG --sku F1 | Creates a free-tier App Service Plan |
az webapp create --name myapp -g myRG --plan myPlan --runtime "NODE:20-lts" | Creates a web app with Node.js runtime |
az webapp list -g myRG --output table | Lists all web apps |
az webapp show --name myapp -g myRG | Shows web app details |
az webapp deploy --name myapp -g myRG --src-path ./app.zip --type zip | Deploys a zip package to the web app |
az webapp log tail --name myapp -g myRG | Streams live application logs to your terminal 📡 |
az webapp restart --name myapp -g myRG | Restarts the web app |
az webapp config appsettings set --name myapp -g myRG --settings DB_HOST=mydb.database.azure.com | Sets an environment variable (app setting) |
App Service is your go-to for web apps, APIs, and backends that don't need container orchestration. Use the F1 (free) or B1 (basic) SKU for dev/test — scale up when you go to production.
🐳 Azure Container Apps
The modern way to run containers on Azure without managing Kubernetes yourself.
| Command | What It Does |
|---|---|
az containerapp env create --name myEnv -g myRG --location canadacentral | Creates a Container Apps environment |
az containerapp create --name myapp -g myRG --environment myEnv --image mcr.microsoft.com/k8se/quickstart:latest --target-port 80 --ingress external | Deploys a container with public access |
az containerapp list -g myRG --output table | Lists all container apps |
az containerapp update --name myapp -g myRG --min-replicas 1 --max-replicas 5 | Configures auto-scaling |
az containerapp logs show --name myapp -g myRG | Shows application logs |
Azure Container Apps has a generous free tier — 180,000 vCPU-seconds and 360,000 GiB-seconds per month. That's enough to run a small app 24/7 at no cost. 🆓
🔐 Identity and Access (Entra ID and RBAC)
Manage users, groups, and role assignments.
| Command | What It Does |
|---|---|
az ad user list --output table | Lists all users in your Entra ID (Azure AD) tenant |
az ad user create --display-name "Jane Doe" --user-principal-name jane@contoso.com --password "TempP@ss123" | Creates a new user |
az ad group list --output table | Lists all groups |
az ad group member add --group "Cloud Admins" --member-id <user-object-id> | Adds a user to a group |
az role assignment create --assignee jane@contoso.com --role "Contributor" --scope /subscriptions/<sub-id>/resourceGroups/myRG | Assigns an RBAC role to a user at the resource group level |
az role assignment list -g myRG --output table | Lists all role assignments for a resource group |
az role definition list --output table | Lists all available built-in RBAC roles |
Follow the principle of least privilege. Give Reader or a custom role instead of Contributor unless they genuinely need write access. And never give Owner at the subscription level unless absolutely necessary. 🚨
📊 Monitoring and Logs
Keep an eye on what's happening in your environment.
| Command | What It Does |
|---|---|
az monitor activity-log list -g myRG --output table | Shows recent activity (who did what, when) |
az monitor metrics list --resource <resource-id> --metric "Percentage CPU" --output table | Gets CPU metrics for a resource |
az monitor log-analytics workspace create --workspace-name myWorkspace -g myRG | Creates a Log Analytics workspace |
az monitor diagnostic-settings create --resource <resource-id> --workspace <workspace-id> --name "send-logs" --logs '[{"enabled":true,"category":"allLogs"}]' | Sends resource logs to Log Analytics |
az advisor recommendation list --output table | Gets Azure Advisor recommendations (performance, cost, security) |
💰 Cost and Billing
Keep your Azure bill under control.
| Command | What It Does |
|---|---|
az consumption usage list --start-date 2026-01-01 --end-date 2026-01-31 --output table | Shows usage details for a date range |
az vm deallocate --name myVM -g myRG | Stop paying for a VM you're not using 💤 |
az group delete --name testRG --yes --no-wait | Delete an entire test environment to stop charges |
az advisor recommendation list --category cost --output table | Shows cost-saving recommendations from Azure Advisor 💡 |
Set a monthly budget alert in the Azure portal (or with az consumption budget create). I've seen students rack up $200+ in a weekend because they forgot to deallocate a VM. A $10 budget alert would have saved them. ⚠️
⚡ Power User Tips
Make the CLI faster and more readable.
🎨 Output Formatting
| Flag | What It Does |
|---|---|
--output table | Clean, readable table format — my default for everything ✅ |
--output json | Full JSON — useful for piping into scripts |
--output tsv | Tab-separated — great for shell scripting |
--output yaml | YAML format |
🔎 JMESPath Queries
Filter and format output without external tools:
| Command | What It Does |
|---|---|
az vm list --query "[].{Name:name, Size:hardwareProfile.vmSize}" --output table | Shows only name and size of all VMs |
az group list --query "[?location=='canadacentral'].name" --output tsv | Lists resource groups in a specific region |
az vm list -g myRG --query "[?powerState=='VM running'].name" --output tsv | Lists only running VMs |
🛠️ Handy Shortcuts
| Command | What It Does |
|---|---|
az find "create vm" | Searches CLI commands — when you know what you want to do but not the command |
az extension list-available --output table | Lists all available CLI extensions |
az extension add --name <extension-name> | Installs a CLI extension |
az config set core.collect_telemetry=false | Disables telemetry collection |
Add --output table to basically everything when you're working interactively. The default JSON output is useful for scripts but painful to read in a terminal. You can also set it as default: az configure --defaults output=table. 🎯
🧹 Quick Reference: Resource Cleanup
When you're done with a lab or test, clean up to avoid surprise charges:
| Command | What It Does |
|---|---|
az group delete --name myRG --yes --no-wait | Nukes everything in a resource group 💥 |
az vm deallocate --ids $(az vm list -g myRG --query "[].id" -o tsv) | Deallocates all VMs in a resource group |
az resource list -g myRG --output table | Lists everything in a resource group (review before deleting) 👀 |
Always run az resource list -g myRG before deleting a resource group. Make sure it only contains what you expect. Deleting is permanent — there's no undo. ⛔
