Welcome to the PowerShell Reference Guide. This guide will provide you with a reference to key PowerShell commands necessary for Azure administrators as well as required to pass the Azure Administrator certification exams from Microsoft AZ-104
🔧 Technologies & Tools
Cheatsheet with the most common Microsoft Azure PowerShell commands with examples.
Each section covers one specific set of resources you can manage with your Azure PowerShell Module Per each section you will find the following information:
- Title: The resources set name that you can manage with the Azure PowerShell Module
- Command: Remember this one. It's the basic thing to start. For instance,
Get-AzResourceGroupis all about manage resource groups. - Basic actions: Basic actions you can do in the command. Tip: mentally join command and basic action and you will be at half way to use the AZ Module to manage the resource.
- Examples: Set of examples using that command and the basic actions. First, it is described in human expression what you want to perform and the line after, the command that perform the action. Try to link the way of thinking and the sequence of the command and you will never forget a command again.
Note: In the examples is assumed that all the actions are based on your subscription account.
Check out the Microsoft Azure PowerShell Overview which has a number of tutorials and guides for learning the basics. This guide is made up of several PowerShell commands which have been reference from the Microsoft documentation and other sources. Before running any of these commands in production, please be sure to test them out in an Azure test account. Some commands are destructive in nature (e.g. removing resource groups, tags etc.) and you need to make sure you fully understand the commands that you execute.
The guide is divided up into the following sections:
- Downloading PowerShell and Installing Azure AZ Modules for PowerShell
- Accounts and Subscriptions
- Resource Groups
- Governance
- Storage
- Virtual Machines
- Networking
- Azure Active Directory
**Accounts and Subscriptions **
Login-AzAccount
Logout-AzAccount
Subscription Selection
Get-AzSubscription
Get-AzSubscription -TenantId "xxxx-xxxx-xxxxxxxx"
Select-AzSubscription –SubscriptionID “SubscriptonID”
Resource Groups
Get all resource groups (Gets the resource group and additional details which can also be stored for use by additional commands).
Get-AzResourceGroup
Get-AzResourceGroup -Name "myResourceGroup”
Get-AzResourceGroup | Where ResourceGroupName -like Production*
Get-AzResourceGroup | Sort Location,ResourceGroupName | Format-Table -GroupBy Location ResourceGroupName,ProvisioningState,Tags
Get-AzResource -ResourceGroupName "myResourceGroup"
Note: The difference with this command vs the one above, is that this one does not look for a specific resource group, but rather just all resources with a name containing the text specified.
Get-AzResource -ResourceType
"microsoft.web/sites" -ResourceGroupName
"myResourceGroup"
Resource Group Provisioning & Management
###Create a new Resource Group
New-AzResourceGroup -Name 'myResourceGroup' -Location 'westeurope' #Creates a new resource group in West Europe called "myResourceGroup"
Remove-AzResourceGroup -Name "ResourceGroupToDelete"
Moving Resources from One Resource Group to Another
$Resource = Get-AzResource -ResourceType
"Microsoft.ClassicCompute/storageAccounts" - #Retrieves a storage account called "myStorageAccount"
ResourceName "myStorageAccount"
Move-AzResource -ResourceId
$Resource.ResourceId -DestinationResourceGroupName - #Moves the resource from Step 1 into the destination resource group "NewResourceGroup"
"NewResourceGroup"
Resource Group Tags
(Get-AzResourceGroup -Name "myResourceGroup").Tags
(Get-AzResourceGroup -Tag @{Owner="DesiredOwner"}).Name
(Get-AzResource -TagName Dept -TagValue Finance).Name
Adding Tags
###Add Tags to an existing resource group that has no tags
Set-AzResourceGroup -Name examplegroup -Tag @{Dept="IT"; Environment="Production" }
resource group that has tags
- Get Tags
- Append
- Update/Apply Tags
$tags = (Get-AzResourceGroup -Name
examplegroup).Tags
$tags += @{Status="Approved"}
Set-AzResourceGroup -Tag $tags -Name examplegroup
$r = Get-AzResource -ResourceName examplevnet -ResourceGroupName examplegroup Set-AzResource -Tag @{ Dept="IT";Environment="Production" } -ResourceId $r.ResourceId -Force
Apply all tags from an existing resource group to the resources beneath. (Note: this overrides all existing tags on the resources inside the RG)
$groups = Get-AzResourceGroup foreach
($group in $groups)
{
Find-AzResource -
ResourceGroupNameEquals $g.ResourceGroupName |
ForEach-Object {Set-AzResource -ResourceId
$_.ResourceId -Tag $g.Tags -Force } }
Apply all tags from a resource group to its resources, but retain tags on resources that are not duplicates
$groups = Get-AzResourceGroup foreach ($g
in $groups)
{
if ($g.Tags -ne $null) {
$resources = Find-AzResource
ResourceGroupNameEquals $g.ResourceGroupName
foreach ($r in $resources)
{
$resourcetags = (Get-AzResource
-ResourceId $r.ResourceId).Tags
foreach ($key in $g.Tags.Keys)
{
if
($resourcetags.ContainsKey($key)) {
$resourcetags.Remove($key) }
}
$resourcetags += $g.Tags
Set-AzResource -Tag
$resourcetags -ResourceId $r.ResourceId -Force
}
}
}
Remove all tags
Set-AzResourceGroup -Tag @{} -Name exampleresourcegroup
Governance
**Azure Policies: View Policies and Assignments
Get-AzPolicyDefinition
$rg = Get-AzResourceGroup -Name
"ExampleGroup"
(Get-AzPolicyAssignment -Name
accessTierAssignment -Scope $rg.ResourceId
Create Policies
$definition = New-AzPolicyDefinition `
-Name denyRegions `
-DisplayName "Deny specific regions" `
-Policy
'https://githublocation.com/azurepolicy.rules.js
on'
You can also use a local file as follows:
$definition = New-AzPolicyDefinition `
-Name denyCoolTiering `
-Description "Deny cool access tiering for
storage" `
-Policy "c:\policies\coolAccessTier.json"
Assign Policies
$rg = Get-AzResourceGroup -Name
"ExampleGroup"
New-AzPolicyAssignment -Name denyRegions -
Scope $rg.ResourceId -PolicyDefinition
$definition
Resource Locks
New-AzResourceLock -LockLevel ReadOnly -
LockNotes "Notes about the lock" -LockName "ReadOnlyLock" -ResourceName "Websites-PROD" ResourceType
"microsoft.web/sites" #Creates a new ReadOnly resource lock on a web site resource.
Get-AzResourceLock -LockName "ReadOnlyLock" -
ResourceName "Websites-PROD" -ResourceType
"microsoft.web/sites" -ResourceGroupName "RGWebSite"
Storage
##Retrieving Storage Accounts
Get-AzStorageAccount
Create storage account
New-AzStorageAccount -ResourceGroupName
“myResourceGroup” -Name “storage1” -Location
“westeurope”-SkuName “Standard_LRS”
• Standard_LRS. Locally-redundant storage. • Standard_ZRS. Zone-redundant storage. • Standard_GRS. Geo-redundant storage. • Standard_RAGRS. Read access geo-redundant storage. • Premium_LRS. Premium locally-redundant storage.
Kind The kind parameter will allow you to specify the type of Storage Account. • Storage - General purpose Storage account that supports storage of Blobs, Tables, Queues, Files and Disks. • StorageV2 - General Purpose Version 2 (GPv2) Storage account that supports Blobs, Tables, Queues, Files, and Disks, with advanced features like data tiering. • BlobStorage -Blob Storage account which supports storage of Blobs only. The default value is Storage. -Access Tier If you specify BlobStorage as the “Kind” then you must also include an access tier • Hot • Cold
New-AzStorageContainer -ResourceGroupName "storage" -AccountName "storageaccount1" -ContainerName "Container"
- Get the storage account and store it as a variable
$storageaccount = Get-AzStorageAccount -
ResourceGroupName "storage" -AccountName
"storageaccount1"
- Make sure you have the right one
$storageaccount #This will show you the storage account object you stored in the variable $storageaccount
- Create the container in the storage account object
NewAzStorageContainer -StorageAccount
$accountObject -ContainerName "Container"
Remove Accounts and Containers
Remove-AzStorageAccount -ResourceGroupName "storage" -AccountName "storageaccount1"
Remove-AzStorageContainer -ResourceGroupName "storage" -AccountName "storageaccount1" -ContainerName "container"
Remove-AzStorageContainer -StorageAccount $storageaccount -ContainerName "container"
Note: Make sure to storage the storage account as a
variable first using
$storageaccount = Get-AzStorageAccount -ResourceGroupName "storage" -AccountName "storageaccount1"
Deploy and Manage Virtual Machines
Get information about VMs
Get-AzVM
Get -AzVM -ResourceGroupName $ResourceGroup
Get-AzVM -ResourceGroupName “resourcegroup” -Name "myVM"
Create a simple M
New-AzVM -Name “vmname” #Typing in this simple command will create a VM and populate names for all the associated
objects based on the VM name specified.
Use the following tasks to create a new VM configuration before creating your Virtual Machine based on that config.
$vmconfig = New-AzVMConfig -VMName “systemname” -VMSize "Standard_D1_v2"
$vmconfig = Set-AzVMOperatingSystem -VM $vmconfig -Windows -ComputerName “systemname” -Credential $cred -ProvisionVMAgent EnableAutoUpdate
$vmconfig = Add-AzVMNetworkInterface -VM $vmconfig -Id $nic.Id
$vmconfig = Set-AzVMSourceImage -VM $vmconfig -PublisherName "publisher_name" -Offer "publisher_offer" -Skus "product_sku" -Version "latest"
New-AzVM -ResourceGroupName “resourcegroup” -Location “westeurope
-VM $vmconfigconfig
All resources are created in the resource group. Before you run this command,
run New-AzVMConfig, Set-AzVMOperatingSystem, SetAzVMSourceImage, Add-AzVMNetworkInterface, and Set-AzVMOSDisk.
VM Operations
Start-AzVM -ResourceGroupName “resourcegroup” -Name “vmname”
Stop-AzVM -ResourceGroupName “resourcegroup” -Name “vmname”
Restart-AzVM -ResourceGroupName “resourcegroup” -Name “vmname”
Remove-AzVM -ResourceGroupName “resourcegroup” -Name “vmname”
Networking Get/List Networking
Get-AzVirtualNetwork -ResourceGroupName “resourcegroup” #Lists all the virtual networks in the resource group.
Get-AzVirtualNetwork -Name "myVNet" -ResourceGroupName “resourcegroup”
Get-AzVirtualNetwork -Name "myVNet" -ResourceGroupName “resourcegroup” | Select Subnets
Get-AzVirtualNetworkSubnetConfig -Name "mySubnet1" VirtualNetwork $vnet #Gets information about the subnet in the specified virtual network. The $vnet
value represents the object returned by Get-AzVirtualNetwork you used
previously.
Get-AzPublicIpAddress -ResourceGroupName “resourcegroup”
Get-AzLoadBalancer -ResourceGroupName “resourcegroup”
Get-AzNetworkInterface -ResourceGroupName “resourcegroup”
Get-AzNetworkInterface -Name "NIC1" -ResourceGroupName “resourcegroup”
Get-AzNetworkInterfaceIPConfig -Name "NIC1" -NetworkInterface $nic #Gets information about the IP configuration of the specified network interface.
The $nic value represents the object returned by Get-AzNetworkInterface.
Get-AzExpressRouteCircuit -ResourceGroupName "Test-Resource" -Name "Test-Circuit"
Resize-AzVirtualNetworkGateway
Create Network Resources
$subnet1 = New-AzVirtualNetworkSubnetConfig -Name "Subnet1" -AddressPrefix XX.X.X.X/XX
$subnet2 = New-AzVirtualNetworkSubnetConfig -Name "Subnet2" -AddressPrefix XX.X.X.X/XX
$vnet = New-AzVirtualNetwork -Name "myVNet" -ResourceGroupName “resourcegroup” -Location $location -AddressPrefix XX.X.X.X/XX -Subnet $slsubnet1,$slsubnet2
#Note: Make sure to create the subnets first as per the previous command above.
Test-AzDnsAvailability -DomainNameLabel "myDNS" -Location $location
You can specify a DNS domain name for a public IP resource, which creates a mapping for domainname.location.cloudapp.azure.com to the public IP address in the Azuremanaged DNS servers. The name can contain only letters, numbers, and hyphens. The first and last character must be a letter or number and the domain name must be unique within its Azure location. If True is returned, your proposed name is globally unique.
$pip = New-AzPublicIpAddress -Name "myPublicIp" -ResourceGroupName “resourcegroup” -DomainNameLabel "myDNS" -Location $location AllocationMethod
Dynamic #The public IP address uses the domain name that you previously tested and is used by
the frontend configuration of the load balancer.
$frontendIP = New-AzLoadBalancerFrontendIpConfig -Name "myFrontendIP" PublicIpAddress $pip #The frontend configuration includes the public IP address that you previously created for incoming network traffic.
$beAddressPool = New-AzLoadBalancerBackendAddressPoolConfig -Name "myBackendAddressPool" #Provides internal addresses for the backend of the load balancer that are accessed through a network interface.
$healthProbe = New-AzLoadBalancerProbeConfig -Name "myProbe" RequestPath 'HealthProbe.aspx' -Protocol http -Port 80 -IntervalInSeconds 15 ProbeCount 2 #
$lbRule = New-AzLoadBalancerRuleConfig -Name HTTP -FrontendIpConfiguration $frontendIP -BackendAddressPool $beAddressPool -Probe $healthProbe -Protocol Tcp -FrontendPort 80 -BackendPort 80
#Contains rules that assign a public port on the load balancer to a port in the backend address pool
$inboundNATRule = New-AzLoadBalancerInboundNatRuleConfig -Name "myInboundRule1" -FrontendIpConfiguration $frontendIP -Protocol TCP -FrontendPort 3441 -BackendPort 3389
#Contains rules mapping a public port on the load balancer to a port for a specific virtual machine in the backend address pool
$loadBalancer = New-AzLoadBalancer -ResourceGroupName “resourcegroup”
-Name "myLoadBalancer" -Location $location -FrontendIpConfiguration $frontendIP
InboundNatRule $inboundNATRule -LoadBalancingRule $lbRule -BackendAddressPool
$beAddressPool -Probe $healthProbe
$nic1= New-AzNetworkInterface -ResourceGroupName “resourcegroup” Name
"myNIC" -Location $location -PrivateIpAddress XX.X.X.X -Subnet $subnet2 -
LoadBalancerBackendAddressPool $loadBalancer.BackendAddressPools[0] LoadBalancerInboundNatRule $loadBalancer.InboundNatRules[0]
#Create a network interface using the public IP address and virtual network subnet that you previously created
Remove network resources
Remove-AzVirtualNetwork -Name "myVNet" -ResourceGroupName “resourcegroup” #Removes the specified virtual network from the resource group
Remove-AzNetworkInterface -Name "myNIC" -ResourceGroupName “resourcegroup” #Removes the specified network interface from the resource group
Remove-AzLoadBalancer -Name "myLoadBalancer" -ResourceGroupName “resourcegroup” #Removes the specified load balancer from the resource group
Remove-AzPublicIpAddress-Name "myIPAddress" -ResourceGroupName “resourcegroup” #Removes the specified public IP address from the resource group.
When an operation on an ExpressRoute circuit doesn't complete successfully, the circuit might go into a "failed" state. You can reset a failed ExpressRoute circuit using Azure PowerShell. You will need the latest version of the Azure Resource Manager PowerShell cmdlets.
$ckt = Get-AzExpressRouteCircuit -Name "ExpressRouteARMCircuit" -ResourceGroupName "ExpressRouteResourceGroup"
Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt
To troubleshoot latency issues with ExpressRoute, the Azure Connectivity Toolkit includes a tool called iPerf.
You use iPerf for basic performance tests, by copying the files to a directory on the host. To test performance, follow these steps:
- Install the PowerShell Module.
(new-object Net.WebClient).DownloadString("https://aka.ms/AzureCT") | Invoke-Expression
This command downloads the PowerShell module and installs it locally.
- Install the supporting applications.
Install-LinkPerformance
This AzureCT command installs iPerf and PSPing in a new directory, "C:\ACTTools". It also opens the Windows Firewall ports to allow ICMP and port 5201 (iPerf) traffic.
- Run the performance test. First, on the remote host, you must install and run iPerf in server mode. Ensure the remote host is listening on either 3389 (RDP for Windows) or 22 (SSH for Linux) and allowing traffic on port 5201 for iPerf. If the remote host is Windows, install the AzureCT and run the Install-LinkPerformance command. The command will set up iPerf and the necessary firewall rules.
When the remote machine is ready, open PowerShell on the local machine and start the test:
Get-LinkPerformance -RemoteHost IP -TestSeconds 10
This command runs a series of concurrent load and latency tests to help estimate the bandwidth capacity and latency of your network link.
4.Review the output of the tests.
The detailed results of iPerf tests are in individual text files in the AzureCT tools directory at "C:\ACTTools."
Azure Active Directory Commands Install Azure AD Module In order to use the Azure AD commands, you first need to install the Azure AD module. Use the following procedure to get it installed:
- Open PowerShell
- Type “Install-Module AzureAD”
- Press Y to accept the untrusted repository (PSGallery)
Connect to Azure AD
Connect-AzureAD #Note: You will be prompted to enter your credentials and any additional authentication steps required.
Disconnect-AzureAD
User and service principal management
Get-AzureADUser
Get-AzureADUser -ObjectId "user@contoso.com"
Remove-AzureADUser -ObjectId "user@contoso.com"
This is a 3 step process that requires first creating a password profile, setting the password, and then passing these into the NewAzureADUser command
- Create Password Profile
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
- Set Password
$PasswordProfile.Password = "Password"
- Create User
New-AzureADUser -DisplayName "New User" -PasswordProfile $PasswordProfile -UserPrincipalName "user@contoso.com" -AccountEnabled $true -MailNickName "Newuser"
First you need to create your application registration in AzureAD then you retrieve it with this command.
Get-AzADApplication -DisplayNameStartWith slappregistration
Once you have the application ID for the App registration, you can use it to create the SPN (Service Principal)
New-AzADServicePrincipal -ApplicationId 11111111-1111-1111-1111-11111111111 -Password $securePassword
This will be scoped to the resource group name you type in with the role definition assigned to the SPN i.e. The SPN is allowed to do X at the RG named Y
New-AzRoleAssignment -ResourceGroupName “resourcegroup” -ObjectId 11111111-1111-1111-1111-11111111111 -RoleDefinitionName Reader
Get-AzRoleAssignment -ResourceGroupName “resourcegroup” -ObjectId 11111111-1111-1111-1111-11111111111