Azure CLI

The Azure CLI is a cross-platform command-line tool for managing Azure resources. This guide covers 2025 best practices, installation on Linux/WSL/NixOS, real-life DevOps scenarios, LLM integration, a

2025 Best Practices

Always use the latest Azure CLI version (az upgrade)
Use service principals or managed identities for automation, not personal accounts
Store secrets in Azure Key Vault, not in scripts or environment variables
Use --output json for scripting and automation
Leverage az account set and named profiles for multi-tenant/multi-subscription work
Use .envrc and direnv for environment isolation
Automate with LLMs (GitHub Copilot, Claude) for repeatable workflows
Enable CLI telemetry only if required for troubleshooting

Installation

Linux (Ubuntu/Debian/Fedora/Arch)

# Ubuntu/Debian
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

# Fedora
sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
sudo dnf install -y https://packages.microsoft.com/config/rhel/9.0/packages-microsoft-prod.rpm
sudo dnf install azure-cli

# Arch Linux
yay -S azure-cli

NixOS

Add to your configuration.nix:

{ pkgs, ... }:
{
  environment.systemPackages = with pkgs; [ azure-cli ];
}

Then rebuild:

sudo nixos-rebuild switch

Windows Subsystem for Linux (WSL)

Follow the Linux instructions inside your WSL terminal. For persistent PATH, add to ~/.bashrc or ~/.zshrc:

export PATH=$PATH:/usr/local/bin

Docker/Podman

docker run -it mcr.microsoft.com/azure-cli
# Or with SSH keys:
docker run -it -v ${HOME}/.ssh:/root/.ssh mcr.microsoft.com/azure-cli

Windows

winget install -e --id Microsoft.AzureCLI

Authentication & Profile Management

az login                # Interactive browser login
az login --use-device-code   # For headless/remote
az login --service-principal -u <appId> -p <password|cert> --tenant <tenant>

List and Set Subscriptions

az account list --output table
az account set --subscription <subscription-id>

Named Profiles (2025+)

az account set --subscription <sub-id> --name dev
az account set --subscription <sub-id> --name prod
# Switch profiles
ez az account set --name dev

Using .envrc and direnv for Environment Isolation

Create a .envrc in your project directory:

export AZURE_SUBSCRIPTION_ID="<sub-id>"
export AZURE_TENANT_ID="<tenant-id>"
export AZURE_DEFAULTS_GROUP="my-rg"
export AZURE_DEFAULTS_LOCATION="westeurope"
az account set --subscription $AZURE_SUBSCRIPTION_ID

Enable direnv:

direnv allow

Real-Life Scenarios

1. Provision a VM with Terraform and az CLI

# main.tf
provider "azurerm" {
  features {}
}
resource "azurerm_resource_group" "rg" {
  name     = var.rg_name
  location = var.location
}

az login
terraform init && terraform apply

2. Automate AKS Authentication and kubectl Context

az aks get-credentials --resource-group my-rg --name my-aks --overwrite-existing
kubectl get nodes

3. Use az CLI with GitHub Copilot or Claude

Use Copilot/Claude to generate az CLI scripts for resource automation:

# Example prompt to Copilot/Claude:
# "Generate a script to create a storage account and upload a file using az CLI."

Review, test, and version-control generated scripts.

4. Multi-Cloud/Hybrid Automation

Use az CLI in GitHub Actions, Azure Pipelines, or GitLab CI/CD for IaC and deployment.
Example GitHub Actions step:

- name: Azure Login
  uses: azure/login@v2
  with:
    creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Deploy Bicep
  run: az deployment group create -g my-rg -f main.bicep

Authenticating Against AKS and Other Services

AKS

az aks get-credentials --resource-group my-rg --name my-aks
kubectl get pods

Azure Container Registry (ACR)

az acr login --name myregistry

Azure Key Vault

az keyvault secret show --vault-name myvault --name mysecret

Useful Resources

PreviousAzure PowerShell NextTips & Tricks

Last updated 6 months ago