PowerShell Reference Guide

PowerShell and Azure CLI Reference

Introduction:
Welcome to the PowerShell Reference Guide. This guide will provide you with a reference to
key PowerShell commands necessary for Azure administrators as well as required to pass the
Azure Administrator certification exams from Microsoft.
If you are completely new to PowerShell, we highly recommend you check out the Microsoft
Azure PowerShell Overview which has a number of tutorials and guides for learning the basics.
This guide is made up of several PowerShell commands which have been reference from the
Microsoft documentation and other sources. Before running any of these commands in
production, please be sure to test them out in an Azure test account. Some commands are
destructive in nature (e.g. removing resource groups, tags etc.) and you need to make sure you
fully understand the commands that you execute.
The guide is divided up into the following sections:

• Downloading PowerShell and Installing Azure ARM Modules for PowerShell

• Accounts and Subscriptions
• Resource Groups
• Governance
• Storage
• Virtual Machines
• Networking
• Azure Active Directory
If you spot any errors in this guide, please submit them via the Contact Us page on the Skylines
Academy web site.
Thank you,
Skylines Academy Team

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Downloading PowerShell:
Always make sure you have the latest version of PowerShell installed
https://azure.microsoft.com/en-gb/downloads/
All Azure administrators will require PowerShell along with the AzureRM module installed on
their laptops.
Installing AzureRM Module (Windows Example)
Installing Azure PowerShell from the PowerShell Gallery requires elevated privileges. Run the
following command from an elevated PowerShell session (Search for PowerShell à Right Click
à Run as Administrator)

By default, the PowerShell gallery is not configured as a Trusted repository for PowerShellGet.
You will see the following prompts. Enter Yes to all.

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Untrusted repository
Make sure to choose yes when prompted to install modules from the untrusted repositories.
You can make these repos trusted by using the Set-PSRepository cmdlet and changing the
installation policy if you desire given that the source is PSGallery.
Are you sure you want to install the modules from 'PSGallery'?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y

Answer 'Yes' or 'Yes to All' to continue with the installation.

Note
If you have a version older than 2.8.5.201 of NuGet, you are prompted to download and install
the latest version of NuGet.+
The AzureRM module is a rollup module for the Azure Resource Manager cmdlets. When you
install the AzureRM module, any Azure PowerShell module not previously installed is
downloaded and from the PowerShell Gallery.+
If you have a previous version of Azure PowerShell installed you may receive an error. To
resolve this issue, see the Updating to a new version of Azure PowerShell section of this
article.+
Reference: https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-
ps?view=azurermps-4.4.0#step-2-install-azure-powershell
Azure Cloud Shell
Reference content from following: https://docs.microsoft.com/en-us/azure/cloud-
shell/overview?view=azurermps-4.4.0

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Accounts and Subscriptions

Azure Accounts

Login to Azure Account Login-AzureRMAccount

Logout of the Azure account Disconnect-AzureRmAccount

you are connected with in your
Note: Upon entering this command, you will be presented with a
session
popup window to complete your login process and any MFA
requirements.

Upon entering this command, you will be presented with a popup window to complete your login
process and any MFA requirements.
Subscription Selection

List all subscriptions in all Get-AzureRmSubscription

tenants the account can access

Get subscriptions in a specific Get-AzureRmSubscription -TenantId "xxxx-xxxx-xxxx-

tenant xxxx"

Choose subscription Select-AzureRmSubscription –SubscriptionID

“SubscriptonID”

Note: Use Get-AzureRMSubscription to identity the subscriptionID.

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Resource Groups
Retrieving Resource Groups

Find all resource groups Find-AzureRmResourceGroup

(Searches for them and displays

them on screen)

Get all resource groups Get-AzureRMResourceGroup

(Gets the resource group and

additional details which can also
be stored for use by additional
commands)

Get a specific resource group Get-AzureRmResourceGroup -Name "SkylinesRG”

by name

Get resource groups where Get-AzureRmResourceGroup | Where ResourceGroupName -

the name begins with “Skylines” like Skylines*

Show resource groups by Get-AzureRmResourceGroup |

location
Sort Location,ResourceGroupName |

Format-Table -GroupBy Location

ResourceGroupName,ProvisioningState,Tags

Resources within RGs

Find resources of a type in Find-AzureRmResource -ResourceType

resource groups with a "microsoft.web/sites" -ResourceGroupNameContains
specific name "thistext"

Find resources of a type Find-AzureRmResource -ResourceType

matching against the resource "microsoft.web/sites" -ResourceNameContains
name string "thistext"

Note: The difference with this

command vs the one above, is
that this one does not look for
a specific resource group, but
rather just all resources with a

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

name containing the text

specified.

Resource Group Provisioning & Management

Create a new Resource Group New-AzureRmResourceGroup -Name 'SkylinesRG' -Location

'northcentral'
#Creates a new resource group in North Central
called “Skylines RG”

Delete a Resource Group Remove-AzureRmResourceGroup -Name "SL-RGToDelete"

Moving Resources from one Resource Group to another

Step 1: Retrieve existing $Resource = Get-AzureRmResource -ResourceType

Resource "Microsoft.ClassicCompute/storageAccounts" -
ResourceName "SkylinesStorageAccount"

# Retrieves a storage account called “SkylinesStorageAccount”

Step 2: Move the Resource to Move-AzureRmResource -ResourceId

the New Group $Resource.ResourceId -DestinationResourceGroupName
"SL-NewRG"

# Moves the resource from Step 1 into the

destination resource group “SL-NewRG”

Resource Group Tags

Display Tags associated with a (Get-AzureRmResourceGroup -Name "SkylinesRG").Tags

specific resource group name

To get all Azure resource (Find-AzureRmResourceGroup -Tag @{

groups with a specific tag: Owner="Skylines Academy" }).Name

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

To get specific resources with (Find-AzureRmResource -TagName Dept -TagValue

a specific tag: Finance).Name

Adding Tags

Add Tags to an existing Set-AzureRmResourceGroup -Name examplegroup -Tag

resource group that has no tags @{ Dept="IT"; Environment="Test" }

Adding tags to an existing $tags = (Get-AzureRmResourceGroup -Name

resource group that has tags examplegroup).Tags
$tags += @{Status="Approved"}
1. Get Tags Set-AzureRmResourceGroup -Tag $tags -Name
2. Append examplegroup
3. Update/Apply Tags

Add tags to a specific resource $r = Get-AzureRmResource -ResourceName

without tags examplevnet -ResourceGroupName examplegroup
Set-AzureRmResource -Tag @{ Dept="IT";
Environment="Test" } -ResourceId $r.ResourceId -
Force

Apply all tags from an existing $groups = Get-AzureRmResourceGroup

resource group to the foreach ($group in $groups)
resources beneath. (Note: this {
overrides all existing tags on Find-AzureRmResource -
ResourceGroupNameEquals $g.ResourceGroupName |
the resources inside the RG)
ForEach-Object {Set-AzureRmResource -ResourceId
$_.ResourceId -Tag $g.Tags -Force }
}

Apply all tags from a resource $groups = Get-AzureRmResourceGroup

group to its resources, but foreach ($g in $groups)
retain tags on resources that {
are not duplicates if ($g.Tags -ne $null) {
$resources = Find-AzureRmResource -
ResourceGroupNameEquals $g.ResourceGroupName
foreach ($r in $resources)
{
$resourcetags = (Get-AzureRmResource
-ResourceId $r.ResourceId).Tags
foreach ($key in $g.Tags.Keys)
{
if

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

($resourcetags.ContainsKey($key)) {
$resourcetags.Remove($key) }
}
$resourcetags += $g.Tags
Set-AzureRmResource -Tag
$resourcetags -ResourceId $r.ResourceId -Force
}
}
}

Remove all tags (Caution)

Removes all tags by passing an Set-AzureRmResourceGroup -Tag @{} -Name

empty hash exampleresourcegroup

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Governance

Azure Policies: View Policies and Assignments

See all policy definitions in your Get-AzureRmPolicyDefinition

subscription

Retrieve assignments for a $rg = Get-AzureRmResourceGroup -Name

specific resource group "ExampleGroup"
(Get-AzureRmPolicyAssignment -Name
accessTierAssignment -Scope $rg.ResourceId

Create Policies

Step 1 Create the policy in JSON

Step 2 Pass the file using Powershell

Example:

$definition = New-AzureRmPolicyDefinition `
-Name denyRegions `
-DisplayName "Deny specific regions" `
-Policy
'https://githublocation.com/azurepolicy.rules.js
on'

You can also use a local file as follows:

$definition = New-AzureRmPolicyDefinition `
-Name denyCoolTiering `
-Description "Deny cool access tiering for
storage" `
-Policy "c:\policies\coolAccessTier.json"

Assign Policies

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Apply a policy from a definition $rg = Get-AzureRmResourceGroup -Name

created above "ExampleGroup"
New-AzureRMPolicyAssignment -Name denyRegions -
Scope $rg.ResourceId -PolicyDefinition
$definition

Resource Locks

Create a new resource lock New-AzureRmResourceLock -LockLevel ReadOnly -

LockNotes "Notes about the lock" -LockName "SL-
WebSiteLock" -ResourceName "SL-WebSite" -
ResourceType "microsoft.web/sites"

# Creates a new ReadOnly resource lock on a web site resource.

Retrieve a resource lock Get-AzureRmResourceLock -LockName "SL-WebSiteLock" -

ResourceName "SL-WebSite" -ResourceType
"microsoft.web/sites" -ResourceGroupName "SL-
RGWebSite"

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Storage
Retrieving Storage Accounts

Lists all storage accounts in the Get-AzureRMStorageAccount

current subscription

Create Storage Account

Create Storage Account New-AzureRmStorageAccount -ResourceGroupName

“slstoragerg” -Name “slstorage1” -Location
Requires the resource group
“eastus”-SkuName “Standard_LRS”
name, storage account name,
valid Azure location, and type
(SkuName).

SKU Options • Standard_LRS. Locally-redundant storage.

• Standard_ZRS. Zone-redundant storage.
• Standard_GRS. Geo-redundant storage.
• Standard_RAGRS. Read access geo-redundant storage.
• Premium_LRS. Premium locally-redundant storage.

Optional Key Parameters -Kind

The kind parameter will allow you to specify the type of

Storage Account.

• Storage - General purpose Storage account that

supports storage of Blobs, Tables, Queues, Files and
Disks.
• StorageV2 - General Purpose Version 2 (GPv2)
Storage account that supports Blobs, Tables, Queues,
Files, and Disks, with advanced features like data tiering.
• BlobStorage -Blob Storage account which supports
storage of Blobs only. The default value is Storage.

-Access Tier

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

If you specify BlobStorage as the “Kind” then you must also

include an access tier

• Hot
• Cold

Create a storage container in a New-AzureRmStorageContainer -ResourceGroupName

storage Account (using storage "slstoragerg" -AccountName "slstorageaccount" -
account name) ContainerName "slContainer"

Create a storage container 1. Get the storage account and store it as a variable
in a storage account (using
the storage account object)
Ø $storageaccount = Get-AzureRmStorageAccount -
ResourceGroupName "slstoragerg" -AccountName
"slstorageaccount"

2. Make sure you have the right one

Ø $storageaccount

This will show you the storage account object you stored in
the variable $storageaccount

3. Create the container in the storage account object

Ø New-AzureRmStorageContainer -StorageAccount
$accountObject -ContainerName "slContainer" -

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Remove Accounts and Containers

Delete a storage account Remove-AzureRmStorageAccount -ResourceGroupName

"slstoragerg" -AccountName "slstorageaccount"

Delete a storage container Remove-AzureRmStorageContainer -ResourceGroupName

using storage account name "slstoragerg" -AccountName "slstorageaccount" -
and container name ContainerName "slcontainer"

Delete a storage container Remove-AzureRmStorageContainer -StorageAccount

using the storage account $storageaccount -ContainerName "slcontainer"
object
Note: Make sure to storage the storage account as a
variable first using

Ø $storageaccount = Get-AzureRmStorageAccount -
ResourceGroupName "slstoragerg" -AccountName
"slstorageaccount"

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Deploy and Manage Virtual Machines

Get Information About VMs

Task Command

List all VMs in current Get-AzureRmVM

subscription

List VMs in a resource group Get-AzureRmVM -ResourceGroupName $slResourceGroup

(See Resource Groups section

above)

Get a specific virtual machine Get-AzureRmVM -ResourceGroupName “slresourcegroup” -Name

“myVM”

Create a VM – Simplified

I put this command here as it is a quick way to create a VM, but you are far better off using VM
configurations to create your VMs with more specific parameters applied. Try out both of them and you
will see the difference.

Task Command

Create a New-AzureRmVM -Name “vmname”

simple VM
Typing in this simple command will create a VM and populate names for all the associated
objects based on the VM name specified.

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Create a VM Configuration Before Creating the Virtual Machine

Use the following tasks to create a new VM configuration before creating your Virtual Machine based on
that config.

Task Command

Create a VM $vmconfig = New-AzureRmVMConfig -VMName “systemname” -VMSize

configuration "Standard_D1_v2"

Add configuration $vmconfig = Set-AzureRmVMOperatingSystem -VM $vmconfig -Windows -

settings ComputerName “systemname” -Credential $cred -ProvisionVMAgent -
EnableAutoUpdate
This adds the operating
system settings to the
configuration.

Add a network interface $vmconfig = Add-AzureRmVMNetworkInterface -VM $vmconfig -Id $nic.Id

Specify a platform image $vmconfig = Set-AzureRmVMSourceImage -VM $vmconfig -PublisherName

"publisher_name" -Offer "publisher_offer" -Skus "product_sku" -Version "latest"

Create a VM New-AzureRmVM -ResourceGroupName “slresourcegroup” -Location “eastus”

-VM $vmconfigconfig

All resources are created in the resource group. Before you run this command,
run New-AzureRmVMConfig, Set-AzureRmVMOperatingSystem, Set-
AzureRmVMSourceImage, Add-AzureRmVMNetworkInterface, and Set-
AzureRmVMOSDisk.

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

VM Operations

Task Command

Start a VM Start-AzureRmVM -ResourceGroupName “slresourcegroup” -Name “vmname”

Stop a VM Stop-AzureRmVM -ResourceGroupName “slresourcegroup” -Name “vmname”

Restart a running VM Restart-AzureRmVM -ResourceGroupName “slresourcegroup” -Name “vmname”

Delete a VM Remove-AzureRmVM -ResourceGroupName “slresourcegroup” -Name “vmname”

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Networking

Get/List Networking

List virtual networks Get-AzureRmVirtualNetwork -ResourceGroupName “slresourcegroup”

Lists all the virtual networks in the resource group.

Get information about a Get-AzureRmVirtualNetwork -Name "myVNet" -ResourceGroupName

virtual network “slresourcegroup”

List subnets in a virtual Get-AzureRmVirtualNetwork -Name "myVNet" -ResourceGroupName

network “slresourcegroup” | Select Subnets

Get information about a Get-AzureRmVirtualNetworkSubnetConfig -Name "mySubnet1" -

subnet VirtualNetwork $vnet

Gets information about the subnet in the specified virtual network. The $vnet
value represents the object returned by Get-AzureRmVirtualNetwork you used
previously.

Get all IP addresses Get-AzureRmPublicIpAddress -ResourceGroupName “slresourcegroup”

from a resource group

Get all load balancers Get-AzureRmLoadBalancer -ResourceGroupName “slresourcegroup”

from a resource group

Get all network Get-AzureRmNetworkInterface -ResourceGroupName “slresourcegroup”

interfaces from a
resource group

Get information about a Get-AzureRmNetworkInterface -Name "slNIC" -ResourceGroupName

network interface “slresourcegroup”

Get the IP configuration Get-AzureRmNetworkInterfaceIPConfig -Name "slNICIP" -NetworkInterface

of a network interface $nic

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Gets information about the IP configuration of the specified network interface.

The $nic value represents the object returned by Get-
AzureRmNetworkInterface.

Create Network Resources

Create subnet $subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name "slSubnet1" -

configurations AddressPrefix XX.X.X.X/XX
$subnet2 = New-AzureRmVirtualNetworkSubnetConfig -Name "slSubnet2" -
AddressPrefix XX.X.X.X/XX

Create a virtual $vnet = New-AzureRmVirtualNetwork -Name "myVNet" -ResourceGroupName

network “slresourcegroup” -Location $location -AddressPrefix XX.X.X.X/XX -Subnet
$slsubnet1, $slsubnet2

Note: Make sure to create the subnets first as per the previous command above.

Test for a Test-AzureRmDnsAvailability -DomainNameLabel "myDNS" -Location $location

unique domain
name You can specify a DNS domain name for a public IP resource, which creates a mapping
for domainname.location.cloudapp.azure.com to the public IP address in the Azure-
managed DNS servers. The name can contain only letters, numbers, and hyphens. The
first and last character must be a letter or number and the domain name must be unique
within its Azure location. If True is returned, your proposed name is globally unique.

Create a public $pip = New-AzureRmPublicIpAddress -Name "myPublicIp" -ResourceGroupName

IP address “slresourcegroup” -DomainNameLabel "myDNS" -Location $location -
AllocationMethod Dynamic

The public IP address uses the domain name that you previously tested and is used by
the frontend configuration of the load balancer.

Create a $frontendIP = New-AzureRmLoadBalancerFrontendIpConfig -Name "myFrontendIP" -

frontend IP PublicIpAddress $pip
configuration

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

The frontend configuration includes the public IP address that you previously created for
incoming network traffic.

Create a $beAddressPool = New-AzureRmLoadBalancerBackendAddressPoolConfig -Name

backend address "myBackendAddressPool"
pool
Provides internal addresses for the backend of the load balancer that are accessed
through a network interface.

Create a probe $healthProbe = New-AzureRmLoadBalancerProbeConfig -Name "myProbe" -

RequestPath 'HealthProbe.aspx' -Protocol http -Port 80 -IntervalInSeconds 15 -
ProbeCount 2

Contains health probes used to check availability of virtual machines instances in the
backend address pool.

Create a load $lbRule = New-AzureRmLoadBalancerRuleConfig -Name HTTP -

balancing rule FrontendIpConfiguration $frontendIP -BackendAddressPool $beAddressPool -Probe
$healthProbe -Protocol Tcp -FrontendPort 80 -BackendPort 80

Contains rules that assign a public port on the load balancer to a port in the backend
address pool.

Create an $inboundNATRule = New-AzureRmLoadBalancerInboundNatRuleConfig -Name

inbound NAT "myInboundRule1" -FrontendIpConfiguration $frontendIP -Protocol TCP -FrontendPort
rule 3441 -BackendPort 3389

Contains rules mapping a public port on the load balancer to a port for a specific virtual
machine in the backend address pool.

Create a load $loadBalancer = New-AzureRmLoadBalancer -ResourceGroupName “slresourcegroup”

balancer -Name "myLoadBalancer" -Location $location -FrontendIpConfiguration $frontendIP -
InboundNatRule $inboundNATRule -LoadBalancingRule $lbRule -BackendAddressPool
$beAddressPool -Probe $healthProbe

Create a $nic1= New-AzureRmNetworkInterface -ResourceGroupName “slresourcegroup” -

network Name "myNIC" -Location $location -PrivateIpAddress XX.X.X.X -Subnet $subnet2 -
interface LoadBalancerBackendAddressPool $loadBalancer.BackendAddressPools[0] -

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

LoadBalancerInboundNatRule $loadBalancer.InboundNatRules[0]

Create a network interface using the public IP address and virtual network subnet that
you previously created.

Remove Network Resources

Delete a virtual Remove-AzureRmVirtualNetwork -Name "myVNet" -ResourceGroupName

network “slresourcegroup”

Removes the specified virtual network from the resource group.

Delete a network Remove-AzureRmNetworkInterface -Name "myNIC" -ResourceGroupName

interface “slresourcegroup”

Removes the specified network interface from the resource group.

Delete a load balancer Remove-AzureRmLoadBalancer -Name "myLoadBalancer" -ResourceGroupName

“slresourcegroup”

Removes the specified load balancer from the resource group.

Delete a public IP Remove-AzureRmPublicIpAddress-Name "myIPAddress" -ResourceGroupName

address “slresourcegroup”

Removes the specified public IP address from the resource group.

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

Azure Active Directory Commands

Install Azure AD Module
In order to use the Azure AD commands, you first need to install the Azure AD module. Use the following
procedure to get it installed:

1. Open PowerShell

2. Type “Install-Module AzureAD”

3. Press Y to accept the untrusted repository (PSGallery).

Connect to Azure AD

Connect to Azure Active Connect-AzureAD

Directory
Note: You will be prompted to enter your credentials and any
additional authentication steps required.

Disconnect from Azure Active Disconnect-AzureAD

Directory

User and Service Principal Management

Get all users Get-AzureADUser

Get specific user Get-AzureADUser -ObjectId "[email protected]"

Remove User Remove-AzureADUser -ObjectId "[email protected]"

New User Creation 1. Create Password Profile

This is a 3 step process that
$PasswordProfile = New-Object -TypeName
requires first creating a
Microsoft.Open.AzureAD.Model.PasswordProfi
password profile, setting the
password, and then passing
le
these into the New-
AzureADUser command 2. Set Password

©2018 Skylines Academy, LLC All rights reserved

 PowerShell Reference Guide

$PasswordProfile.Password = "Password"

3. Create User

New-AzureADUser -DisplayName "New User" -

PasswordProfile $PasswordProfile -UserPrincipalName
"[email protected]" -AccountEnabled $true -
MailNickName "Newuser"

Service Principal Creation First you need to create your application registration in AzureAD then
you retrieve it with this command.

Get-AzureRmADApplication -DisplayNameStartWith
slappregistration

Once you have the application ID for the App registration, you can use
it to create the SPN (Service Principal)

New-AzureRmADServicePrincipal -ApplicationId
11111111-1111-1111-1111-11111111111 -Password
$securePassword

Assign Role New-AzureRmRoleAssignment -ResourceGroupName

“slresourcegroup” -ObjectId 11111111-1111-1111-1111-
This will be scoped to the
11111111111 -RoleDefinitionName Reader
resource group name you type
in with the role definition
assigned to the SPN
i.e. The SPN is allowed to do X
at the RG named Y

View Current Role Assignment Get-AzureRmRoleAssignment -ResourceGroupName

“slresourcegroup” -ObjectId 11111111-1111-1111-1111-
11111111111

©2018 Skylines Academy, LLC All rights reserved