Azure CLI
The Azure CLI is a cross-platform command-line tool for managing Azure resources. This guide covers 2025 best practices, installation on Linux/WSL/NixOS, real-life DevOps scenarios, LLM integration, a
2025 Best Practices
Always use the latest Azure CLI version (
az upgrade
)Use service principals or managed identities for automation, not personal accounts
Store secrets in Azure Key Vault, not in scripts or environment variables
Use
--output json
for scripting and automationLeverage
az account set
and named profiles for multi-tenant/multi-subscription workUse
.envrc
and direnv for environment isolationAutomate with LLMs (GitHub Copilot, Claude) for repeatable workflows
Enable CLI telemetry only if required for troubleshooting
Installation
Linux (Ubuntu/Debian/Fedora/Arch)
# Ubuntu/Debian
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
# Fedora
sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
sudo dnf install -y https://packages.microsoft.com/config/rhel/9.0/packages-microsoft-prod.rpm
sudo dnf install azure-cli
# Arch Linux
yay -S azure-cli
NixOS
Add to your configuration.nix
:
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ azure-cli ];
}
Then rebuild:
sudo nixos-rebuild switch
Windows Subsystem for Linux (WSL)
Follow the Linux instructions inside your WSL terminal. For persistent PATH, add to ~/.bashrc
or ~/.zshrc
:
export PATH=$PATH:/usr/local/bin
Docker/Podman
docker run -it mcr.microsoft.com/azure-cli
# Or with SSH keys:
docker run -it -v ${HOME}/.ssh:/root/.ssh mcr.microsoft.com/azure-cli
Windows
winget install -e --id Microsoft.AzureCLI
Authentication & Profile Management
Login
az login # Interactive browser login
az login --use-device-code # For headless/remote
az login --service-principal -u <appId> -p <password|cert> --tenant <tenant>
List and Set Subscriptions
az account list --output table
az account set --subscription <subscription-id>
Named Profiles (2025+)
az account set --subscription <sub-id> --name dev
az account set --subscription <sub-id> --name prod
# Switch profiles
ez az account set --name dev
Using .envrc and direnv for Environment Isolation
Create a .envrc
in your project directory:
export AZURE_SUBSCRIPTION_ID="<sub-id>"
export AZURE_TENANT_ID="<tenant-id>"
export AZURE_DEFAULTS_GROUP="my-rg"
export AZURE_DEFAULTS_LOCATION="westeurope"
az account set --subscription $AZURE_SUBSCRIPTION_ID
Enable direnv:
direnv allow
Real-Life Scenarios
1. Provision a VM with Terraform and az CLI
# main.tf
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "rg" {
name = var.rg_name
location = var.location
}
az login
terraform init && terraform apply
2. Automate AKS Authentication and kubectl Context
az aks get-credentials --resource-group my-rg --name my-aks --overwrite-existing
kubectl get nodes
3. Use az CLI with GitHub Copilot or Claude
Use Copilot/Claude to generate az CLI scripts for resource automation:
# Example prompt to Copilot/Claude:
# "Generate a script to create a storage account and upload a file using az CLI."
Review, test, and version-control generated scripts.
4. Multi-Cloud/Hybrid Automation
Use az CLI in GitHub Actions, Azure Pipelines, or GitLab CI/CD for IaC and deployment.
Example GitHub Actions step:
- name: Azure Login
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Deploy Bicep
run: az deployment group create -g my-rg -f main.bicep
Authenticating Against AKS and Other Services
AKS
az aks get-credentials --resource-group my-rg --name my-aks
kubectl get pods
Azure Container Registry (ACR)
az acr login --name myregistry
Azure Key Vault
az keyvault secret show --vault-name myvault --name mysecret
Useful Resources
Last updated