Azure CLI Notes

Khaled Hikmat

Khaled Hikmat

Software Engineer

This is just a note about Azure CLI login options.

Option 1:#

Login interactively via a browser

az login

Option 2:#

The best way to login is to use an Azure Service Principal though. So I registered an application in Azure Directory i.e. AzureCliScriptApp and assigned a service principal. I will use this service principal to login.

Create a service principal:#

Make sure you are in the same tenant that you want to authenticate against. If not, use 'az account set --subscription "your-subs"' to set the account.

To display the Azure Directory apps:

az ad app list --display-name AzureCliScriptApp

The above will yield the app id ...a big string that looks like this: e68ab97f-cff2-4b50-83d5-eec9fe266ccc

az ad sp create-for-rbac --name e68ab97f-cff2-4b50-83d5-eec9fe266ccc --password s0me_passw0rd
"appId": "some-app-id-you-will-use-to-sign-in",
"displayName": "e68ab97f-cff2-4b50-83d5-eec9fe266ccc",
"name": "http://e68ab97f-cff2-4b50-83d5-eec9fe266ccc",
"password": "s0me_passw0rd",
"tenant": "your-tenant-id"

To login with service principal:

az login --service-principal -u some-app-id-you-will-use-to-sign-in -p s0me_passw0rd --tenant your-tenant-id

Useful Commands:#

List all subscriptions

az account list --output table

Set the default account

az account set --subscription "Mosaic"

List the Clouds

az cloud list --output table
az cloud show --name AzureCloud --output json


if you are using the Azure CLI to provision a Kubernetes cluster, you should use this command if you used the service principal to login

az aks create --resource-group $rgName --name $k8sClusterName --service-principal $spAppId --client-secret $spPassword --node-count $k8sNodesCount --generate-ssh-keys

Where: $rgName is the PowerShell variable that holds the resource group name $k8sClusterName is the PowerShell variable that holds the k8s cluster name $spAppId is the PowerShell variable that holds the service principal app id $spPassword is the PowerShell variable that holds the service principal password $k8sNodesCount is the PowerShell variable that holds the k8s cluster desired nodes count

Point to Site Connectivity in Azure

Khaled Hikmat

Khaled Hikmat

Software Engineer

This PowerShell script creates self-signed root and client certificates, export them and import what is needed:

# Assume you are on Windows 10
$myPassword = "some_password";
$certsPath = "C:\YourDir\Certificates"
$certNamePrefix = "YourNameP2S";
$date = Get-date "2040-01-01";
# Create a self-signed ROOT cert
$rootCert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=$($certNamePrefix)Cert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign -NotAfter $date
# Export the cert to base64 so it can be uploaded to the Point-to-Site VPN connection: refer to https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
# Upload the .cer ending with '_Encoded'
Export-Certificate -Cert $rootCert -FilePath "$certsPath\$($certNamePrefix)Cert.cer"
Start-Process -FilePath 'certutil.exe' -ArgumentList "-encode $certsPath\$($certNamePrefix)Cert.cer $certsPath\$($certNamePrefix)Cert_Encoded.cer" -WindowStyle Hidden
# NOTE: Download the VPN Client from Azure AFTER you upload the encoded certificate i.e. .cer file
# Generate a client certificate from the self-signed certificate
# NOTE: The self-siged root cert and the client cert must have the same subject!!!
$clientCert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=$($certNamePrefix)Cert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $rootCert -TextExtension @("{text}") -NotAfter $date
# Export the client certificate as PFX
Export-PfxCertificate -Cert $clientCert -ChainOption BuildChain -FilePath "$certsPath\$($certNamePrefix)Cert.pfx" -Password $(ConvertTo-SecureString -String $myPassword -AsPlainText -Force)
# Import the PFX client cert into the user store
Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\my\ -FilePath "$certsPath\$($certNamePrefix)Cert.pfx" -Exportable -Password $(ConvertTo-SecureString -String $myPassword -AsPlainText -Force)

I hope it helps someone.