From aeo-infra
This skill should be used when the user asks about "Azure CLI commands", "writing Azure CLI scripts", "managing Azure resources", "az login", "az account", "service principal", "managed identity", "credential chain", or working with specific Azure services via CLI (VMs, Storage, VNets, NSGs, Key Vault, App Service, AKS, RBAC). Also applies when the user needs help with "JMESPath query", "--query syntax", "az graph query", "CLI pagination", "az wait", "output formatting", "multi-subscription", "resource locks", "safe destructive commands", "az rest API calls", "az bicep", "CLI extensions", "cost management", "cost analysis", "spending", or "az resource" for services without dedicated CLI commands.
npx claudepluginhub aeyeops/aeo-skill-marketplace --plugin aeo-infraThis skill uses the workspace's default tool permissions.
Guidance for using the Azure Command-Line Interface effectively and safely.
Guides Payload CMS config (payload.config.ts), collections, fields, hooks, access control, APIs. Debugs validation errors, security, relationships, queries, transactions, hook behavior.
Builds scalable data pipelines, modern data warehouses, and real-time streaming architectures using Spark, dbt, Airflow, Kafka, and cloud platforms like Snowflake, BigQuery.
Builds production Apache Airflow DAGs with best practices for operators, sensors, testing, and deployment. For data pipelines, workflow orchestration, and batch job scheduling.
Guidance for using the Azure Command-Line Interface effectively and safely.
Current version: Azure CLI 2.83.0 (released 2026-02-03). MFA is mandatory for user identity logins since October 2025.
Before executing ANY Azure CLI command, verify subscription and identity:
az account show --query "{Sub:name, ID:id, Tenant:tenantId}" --output table
Never assume which subscription is active. Environment variables, config defaults, and recent az account set calls can silently change the target.
az account show before write/delete operationsaz deployment group what-if before ARM/Bicep deployments; no native --dry-run for individual az commands--query (JMESPath) to reduce output; use az graph query (KQL) for cross-subscription inventorytsv for scripting — --output tsv gives clean values without quotes; --output none when only exit code matters--subscription in scripts; never rely on the default context--only-show-errors — Suppress warnings in scripts; let errors flow to stderraz login --identity for Azure-hosted workloads; service principal with certificate for CI/CD; federated credentials (OIDC) for GitHub Actionsaz lock create --lock-type CanNotDelete on production resource groups# List all VMs with power state
az vm list --show-details \
--query "[].{Name:name,RG:resourceGroup,State:powerState,Size:hardwareProfile.vmSize}" \
--output table
# Find resources by tag across the subscription
az resource list \
--tag Environment=production \
--query "[].{Name:name,Type:type,RG:resourceGroup}" --output table
# Cross-subscription inventory via Resource Graph (KQL)
az graph query -q \
"Resources | where type =~ 'Microsoft.Compute/virtualMachines' | project name, location, resourceGroup | order by name"
# Step 1: Verify subscription
SUB=$(az account show --query name --output tsv)
echo "Subscription: $SUB"
# Step 2: What-if for Bicep/ARM deployments
az deployment group what-if \
--resource-group myRG \
--template-file main.bicep \
--parameters @params.json
# Step 3: Deploy with confirmation
az deployment group create \
--resource-group myRG \
--template-file main.bicep \
--confirm-with-what-if
az login # interactive browser (WAM on Windows)
az login --use-device-code # headless/SSH
az login --identity # managed identity (Azure-hosted)
az login --service-principal \
--username "$AZURE_CLIENT_ID" \
--certificate /path/to/cert.pem \
--tenant "$AZURE_TENANT_ID" # certificate-based SP (preferred for CI/CD)
MFA is mandatory for user identities since October 2025. This does NOT affect service principals or managed identities. For full credential chain, federated credentials (OIDC), WAM, multi-tenant patterns, and token caching details, see references/advanced-patterns.md#authentication-and-credential-chain.
# Upload blob (always use --auth-mode login over key auth)
az storage blob upload \
--account-name mystorageacct \
--container-name mycontainer \
--file ./local.txt --name remote.txt \
--auth-mode login
# Sync directory
az storage azcopy blob sync \
--container mycontainer \
--account-name mystorageacct \
--source "./local-dir"
az vm wait -g myRG -n myVM --created
az deployment group wait -g myRG -n my-deployment --created
az group wait -n myRG --deleted
az wait polls with --interval (default 30s) and --timeout (default 3600s). Use --custom for JMESPath conditions. For parallel wait patterns and --ids, see references/advanced-patterns.md#az-wait-patterns.
--query (JMESPath)All Azure CLI commands support --query. Queries execute client-side on the JSON response.
# Filter + project
az vm list --show-details \
--query "[?powerState=='VM running'].{Name:name,IP:publicIps}" \
--output table
# Scalar capture (tsv strips quotes)
VM_ID=$(az vm show -g myRG -n myVM --query id --output tsv)
# Built-in functions
az vm list --query "sort_by([], &name)[0:5].name" --output tsv
For JMESPath gotchas, filter predicates, and pipe expressions, see references/advanced-patterns.md#jmespath-query-patterns.
tsv — --output tsvjson / jsonc — --output jsontable — --output tableyaml — --output yamlnone — --output noneVerify before shipping:
set -euo pipefail at script top--only-show-errors on all commands (or az config set core.only_show_errors=true)--subscription explicit on every command (never rely on default)az account show at script start to verify context--yes --no-wait on destructive commands in production (swallows errors)CanNotDelete) on production resource groupsaz role assignment delete without --assignee and --role (may match unintended assignments)az login -u/-p fails with MFA since October 2025. Migrate to service principal or managed identity.az vm delete orphans resources: Disks, NICs, public IPs, and NSGs are NOT deleted. Clean up manually or delete the resource group.az vm stop still bills: Use az vm deallocate to actually stop billing for compute.--auth-mode login for storage: Default is key auth which bypasses Entra RBAC. Always pass --auth-mode login.set -e scripts.az role assignment delete without --assignee: May match and delete more assignments than intended at the given scope. Always specify --assignee and --role.az login. Disable with az config set core.login_experience_v2=off.az cost command: Cost Management has no CLI command group. Use az rest against the CostManagement query API. See references/advanced-patterns.md#cost-management-queries-via-az-rest.az command group. Use az resource show/list/delete or az rest. See references/advanced-patterns.md#resources-without-dedicated-cli-commands.purview only have preview releases and auto-install with noisy warnings. Suppress with --only-show-errors.Before running any destructive Azure CLI command, consult the safety reference for tiered risk commands (irreversible data loss, service disruption, cost explosion), safer alternatives, resource locks, and the --yes/--no-wait danger matrix: references/dangerous-commands.md.
For JMESPath queries, output formats, pagination, az wait, az rest, CLI extensions, az configure, environment variables, az graph (KQL), scripting best practices, exit codes, az bicep, multi-subscription loops, authentication and credential chain: references/advanced-patterns.md.
For Virtual Machines, Storage Accounts, Virtual Networks and NSGs, Key Vault, App Service, AKS, and RBAC role assignments: references/service-patterns.md.