CyberCheatsheets

Azure CLI Cheat Sheet

Microsoft Azure command-line tool for subscription, VM, storage, and Entra ID enumeration in cloud pentests.

Cloud & ContainersazureentraenumerationUpdated 2026-06-02

Overview

Azure CLI (az) manages Azure resources and Microsoft Entra ID (via extension). Use after obtaining user creds, service principals, or managed identity access from apps/VMs.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
az version

Login

az login
az login --service-principal -u APP_ID -p SECRET --tenant TENANT_ID

Essential commands

Account context

az account show
az account list -o table

Set subscription

az account set --subscription "Subscription Name"

Resource groups

az group list -o table

Common workflows

Post-compromise enumeration —

az account list-locations -o table
az resource list -o table
az vm list -o table
az vm show -g RG -n VMName

Run command on VM (if RBAC allows)

az vm run-command invoke -g RG -n VMName --command-id RunShellScript --scripts "id; hostname"

Storage accounts —

az storage account list -o table
az storage container list --account-name ACCOUNT --auth-mode login
az storage blob list --account-name ACCOUNT -c container --auth-mode login
az storage blob download --account-name ACCOUNT -c container -n secret.zip -f secret.zip --auth-mode login

Key Vault —

az keyvault list -o table
az keyvault secret list --vault-name VAULT
az keyvault secret show --vault-name VAULT -n db-password --query value -o tsv

Entra ID / users (requires directory permissions) —

az ad user list -o table
az ad user show --id user@tenant.onmicrosoft.com
az ad sp list --display-name "app" -o table
az rest --method GET --url "https://graph.microsoft.com/v1.0/me"

From inside VM

curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
export AZURE_ACCESS_TOKEN=...
az account get-access-token

Flags reference

-o table / json / tsv

Output format

--query JMESPath

Filter fields

--subscription ID

Per-command subscription

--only-show-errors

Suppress warnings

az configure

Defaults (no telemetry, etc.)

az extension add --name NAME

Extra command groups

Tips

  • ROADtools / AzureHound complement az for BloodHound-style paths.
  • Many reads need specific RBAC — note AuthorizationFailed vs empty results.
  • az login opens browser — use SP or device code for headless: az login --use-device-code.
  • Graph API often needs separate token: az account get-access-token --resource-type ms-graph.

References

Related cheat sheets