Enterprise Azure PowerShell Command Reference
Complete Operational Guide for Entra ID, Compute, Networking, PaaS, Storage, and Disaster Recovery
PowerShell remains the most deterministic way to deploy, configure, secure, and automate Microsoft Azure environments. This reference guide consolidates production-relevant PowerShell cmdlets across all major Azure domains used in enterprise environments.
The Commands Below Cover:
Identity Management
Infrastructure Provisioning
Network Security
Platform Services
Storage Operations
Backup and Disaster Recovery
Prerequisites
Install Azure PowerShell:
Install-Module -Name Az -Repository PSGallery -Force
Install-Module Microsoft.Graph -Scope CurrentUser
Connect to Azure:
Connect-AzAccount
Connect-MgGraph
Entra ID Module Microsoft Graph PowerShell (Recommended)
Az.Resources (RBAC and Azure Resource Authorization)
|
Command |
Explanation |
|
Connect-MgGraph |
Connect to Microsoft Graph with delegated or app permissions. |
|
Disconnect-MgGraph |
Disconnect the current Graph session. |
|
Select-MgProfile -Name "v1.0" |
Use the stable Graph endpoint profile for production scripts. |
|
Get-MgOrganization |
Retrieve tenant organization details. |
|
Get-MgUser |
List users or retrieve a specific user by UPN or ID. |
|
New-MgUser |
Create a new Entra ID user. |
|
Update-MgUser |
Modify user properties (department, usage location, etc.). |
|
Remove-MgUser |
Delete a user. |
|
Get-MgGroup |
List groups or retrieve a specific group. |
|
New-MgGroup |
Create a security or Microsoft 365 group. |
|
Update-MgGroup |
Modify group settings and properties. |
|
Remove-MgGroup |
Delete a group. |
|
New-MgGroupMemberByRef |
Add members to a group (users, service principals). |
|
Remove-MgGroupMemberByRef |
Remove group members. |
|
Get-MgServicePrincipal |
List enterprise application service principals. |
|
New-MgServicePrincipal |
Create a service principal (commonly created via app registration flow). |
|
Get-MgApplication |
List app registrations. |
|
New-MgApplication |
Create an app registration. |
|
Update-MgApplication |
Update app registration settings (redirect URIs, etc.). |
|
Remove-MgApplication |
Delete an app registration. |
|
Add-MgApplicationPassword |
Add a client secret to an app registration. |
|
Add-MgApplicationKey |
Add a certificate key credential to an app registration. |
|
Get-MgAuditLogSignIn |
Retrieve sign-in logs for investigations and reporting. |
|
Get-MgAuditLogDirectoryAudit |
Retrieve directory audit logs (who changed what). |
|
Get-AzADUser |
Retrieve Entra ID users via Az module context. |
|
Get-AzADGroup |
Retrieve Entra ID groups via Az module context. |
|
Get-AzADServicePrincipal |
Retrieve service principals via Az module context. |
|
Get-AzRoleDefinition |
List RBAC roles and their permissions. |
|
Get-AzRoleAssignment |
List RBAC role assignments at a scope. |
|
New-AzRoleAssignment |
Assign an RBAC role to a principal at a scope. |
|
Remove-AzRoleAssignment |
Remove an RBAC role assignment. |
Compute Module
Az.Compute, Az.Websites, Az.Aks, Az.ContainerInstance
|
Command |
Explanation |
|
New-AzVM |
Create a virtual machine using an image and configuration. |
|
Get-AzVM |
Get VM(s) and properties including power state (with -Status). |
|
Start-AzVM |
Start a VM. |
|
Stop-AzVM |
Stop a VM (optionally deallocate with -StayProvisioned:$false pattern via Stop-AzVM -Force). |
|
Restart-AzVM |
Restart a VM. |
|
Remove-AzVM |
Delete a VM resource (disks and NICs may remain depending on how it was created). |
|
Update-AzVM |
Apply updates to VM model after modifying its object. |
|
Set-AzVMOperatingSystem |
Set OS profile details during VM creation configuration. |
|
Set-AzVMSourceImage |
Select an image for VM creation. |
|
Add-AzVMNetworkInterface |
Attach NICs to a VM configuration. |
|
Get-AzVMSize |
List available VM sizes in a region. |
|
Get-AzVMImagePublisher |
List image publishers. |
|
Get-AzVMImageOffer |
List offers for a publisher. |
|
Get-AzVMImageSku |
List SKUs for an offer. |
|
Get-AzVMImage |
List available image versions. |
|
New-AzAvailabilitySet |
Create an availability set for VM high availability. |
|
New-AzVmss |
Create a virtual machine scale set. |
|
Get-AzVmss |
Retrieve VM scale sets. |
|
Update-AzVmss |
Update scale set model (capacity, SKU, extensions). |
|
New-AzDedicatedHostGroup |
Create a dedicated host group. |
|
New-AzDedicatedHost |
Create a dedicated host. |
|
New-AzDisk |
Create a managed disk. |
|
Get-AzDisk |
Retrieve managed disks. |
|
Update-AzDisk |
Update disk SKU, size (increase), and settings. |
|
New-AzSnapshot |
Create a snapshot of a managed disk. |
|
New-AzContainerGroup |
Create Azure Container Instances (ACI). |
|
Get-AzContainerGroup |
Retrieve container groups and status. |
|
Remove-AzContainerGroup |
Delete a container group. |
|
New-AzAksCluster |
Create an AKS cluster (advanced parameters typically used for enterprise). |
|
Get-AzAksCluster |
Retrieve AKS cluster configuration. |
|
Update-AzAksCluster |
Update AKS configuration (version, features, etc.). |
|
Remove-AzAksCluster |
Delete an AKS cluster. |
|
New-AzWebApp |
Create an App Service Web App. |
|
Get-AzWebApp |
Retrieve Web App details and configuration. |
|
Set-AzWebApp |
Update Web App settings and runtime properties. |
|
Restart-AzWebApp |
Restart a Web App. |
|
New-AzFunctionApp |
Create an Azure Function App. |
|
Get-AzFunctionApp |
Retrieve Function App details. |
Networking Module
Az.Network
|
Command |
Explanation |
|
New-AzVirtualNetwork |
Create a virtual network. |
|
Get-AzVirtualNetwork |
Retrieve virtual networks. |
|
Set-AzVirtualNetwork |
Apply updates to a VNet after modifying its object. |
|
Add-AzVirtualNetworkSubnetConfig |
Add a subnet to a VNet object. |
|
Set-AzVirtualNetworkSubnetConfig |
Modify subnet properties (delegations, endpoints, etc.). |
|
Get-AzVirtualNetworkSubnetConfig |
Retrieve a subnet configuration from a VNet. |
|
New-AzNetworkSecurityGroup |
Create an NSG. |
|
Get-AzNetworkSecurityGroup |
Retrieve NSGs. |
|
Add-AzNetworkSecurityRuleConfig |
Add a security rule to an NSG object. |
|
Set-AzNetworkSecurityGroup |
Apply NSG changes after modifying its object. |
|
New-AzRouteTable |
Create a route table. |
|
Get-AzRouteTable |
Retrieve route tables. |
|
Add-AzRouteConfig |
Add a UDR route to a route table object. |
|
Set-AzRouteTable |
Apply route table changes. |
|
New-AzPublicIpAddress |
Create a public IP (Standard recommended for production). |
|
Get-AzPublicIpAddress |
Retrieve public IPs. |
|
New-AzNetworkInterface |
Create a NIC and attach NSG, IP config, subnet. |
|
Get-AzNetworkInterface |
Retrieve NICs. |
|
Set-AzNetworkInterface |
Apply NIC changes. |
|
New-AzLoadBalancer |
Create an Azure Load Balancer. |
|
Get-AzLoadBalancer |
Retrieve load balancers. |
|
New-AzApplicationGateway |
Create Application Gateway (WAF with separate WAF config cmdlets). |
|
Get-AzApplicationGateway |
Retrieve Application Gateway. |
|
Set-AzApplicationGateway |
Apply Application Gateway modifications. |
|
New-AzFirewall |
Create Azure Firewall. |
|
Get-AzFirewall |
Retrieve Azure Firewall instances. |
|
Set-AzFirewall |
Apply Azure Firewall configuration changes. |
|
New-AzFirewallPolicy |
Create an Azure Firewall Policy. |
|
Get-AzFirewallPolicy |
Retrieve Azure Firewall Policies. |
|
New-AzPrivateEndpoint |
Create a private endpoint to a PaaS resource. |
|
Get-AzPrivateEndpoint |
Retrieve private endpoints. |
|
New-AzPrivateDnsZone |
Create a Private DNS zone. |
|
Get-AzPrivateDnsZone |
Retrieve Private DNS zones. |
|
New-AzPrivateDnsVirtualNetworkLink |
Link Private DNS zone to a VNet. |
|
New-AzVirtualNetworkPeering |
Create VNet peering. |
|
Get-AzVirtualNetworkPeering |
Retrieve VNet peering configuration. |
|
New-AzVpnGateway |
Create a VPN gateway (common in hub deployments). |
|
Get-AzVpnGateway |
Retrieve VPN gateways. |
|
New-AzExpressRouteCircuit |
Create an ExpressRoute circuit resource. |
|
Get-AzExpressRouteCircuit |
Retrieve ExpressRoute circuits. |
|
Get-AzNetworkWatcher |
Retrieve Network Watcher. |
|
Test-AzNetworkWatcherIPFlow |
Validate whether traffic is allowed or denied based on NSG rules. |
|
Get-AzNetworkWatcherFlowLogStatus |
Check NSG flow log status. |
Platform as a Service Module
Az.Websites, Az.Functions, Az.ApiManagement, Az.ServiceBus, Az.EventGrid, Az.EventHub, Az.Sql, Az.CosmosDB, Az.DataFactory, Az.Synapse, Az.KeyVault
|
Command |
Explanation |
|
New-AzWebApp |
Create a Web App (App Service). |
|
Set-AzWebApp |
Update Web App configuration. |
|
New-AzWebAppSlot |
Create a deployment slot. |
|
Swap-AzWebAppSlot |
Swap slots for blue-green style releases. |
|
New-AzFunctionApp |
Create a Function App. |
|
Get-AzFunctionApp |
Retrieve Function App details. |
|
New-AzApiManagement |
Create an API Management instance. |
|
Get-AzApiManagement |
Retrieve API Management instances. |
|
New-AzServiceBusNamespace |
Create a Service Bus namespace. |
|
Get-AzServiceBusNamespace |
Retrieve Service Bus namespaces. |
|
New-AzServiceBusQueue |
Create a Service Bus queue. |
|
New-AzServiceBusTopic |
Create a Service Bus topic. |
|
New-AzEventHubNamespace |
Create an Event Hubs namespace. |
|
Get-AzEventHubNamespace |
Retrieve Event Hubs namespaces. |
|
New-AzEventHub |
Create an Event Hub. |
|
New-AzEventGridTopic |
Create an Event Grid topic. |
|
New-AzSqlServer |
Create an Azure SQL logical server. |
|
Get-AzSqlServer |
Retrieve SQL logical servers. |
|
New-AzSqlDatabase |
Create an Azure SQL Database. |
|
Get-AzSqlDatabase |
Retrieve SQL databases. |
|
Set-AzSqlServerFirewallRule |
Configure SQL server firewall rules (use Private Endpoint in enterprise). |
|
New-AzCosmosDBAccount |
Create a Cosmos DB account. |
|
Get-AzCosmosDBAccount |
Retrieve Cosmos DB accounts. |
|
Update-AzCosmosDBAccount |
Update account settings (consistency, networking, etc.). |
|
New-AzDataFactoryV2 |
Create Azure Data Factory. |
|
Get-AzDataFactoryV2 |
Retrieve Data Factory instances. |
|
New-AzSynapseWorkspace |
Create a Synapse workspace. |
|
Get-AzSynapseWorkspace |
Retrieve Synapse workspaces. |
|
New-AzKeyVault |
Create a Key Vault. |
|
Get-AzKeyVault |
Retrieve Key Vault configuration. |
|
Set-AzKeyVaultAccessPolicy |
Configure Key Vault access policies (legacy model). |
|
Set-AzKeyVaultSecret |
Create or update a secret. |
|
Get-AzKeyVaultSecret |
Retrieve secrets. |
Storage Module
Az.Storage
|
Command |
Explanation |
|
New-AzStorageAccount |
Create a storage account with SKU and redundancy. |
|
Get-AzStorageAccount |
Retrieve storage account properties. |
|
Set-AzStorageAccount |
Update storage account settings (TLS, network rules, etc.). |
|
Get-AzStorageAccountKey |
Retrieve account keys (avoid in enterprise, prefer Entra ID). |
|
New-AzStorageContext |
Create a storage context used by many storage cmdlets. |
|
New-AzStorageContainer |
Create a blob container. |
|
Get-AzStorageContainer |
List blob containers. |
|
Set-AzStorageBlobContent |
Upload a file as a blob. |
|
Get-AzStorageBlob |
List blobs in a container. |
|
Remove-AzStorageBlob |
Delete a blob. |
|
Start-AzStorageBlobCopy |
Start a server-side copy operation. |
|
New-AzStorageShare |
Create an Azure Files share. |
|
Get-AzStorageShare |
List file shares. |
|
New-AzStorageDirectory |
Create directory in a file share. |
|
Get-AzStorageFile |
List files in a share. |
|
New-AzStorageQueue |
Create a queue. |
|
Get-AzStorageQueue |
Retrieve queues. |
|
New-AzStorageTable |
Create a table (classic Table service). |
|
Get-AzStorageTable |
List tables. |
|
New-AzStorageAccountSASToken |
Generate SAS token for account-level access. |
|
New-AzStorageContainerSASToken |
Generate SAS token for container access. |
|
Update-AzStorageAccountNetworkRuleSet |
Configure storage firewall rules and network restrictions. |
|
Add-AzStorageAccountNetworkRule |
Add IP or VNet rules for storage. |
|
Remove-AzStorageAccountNetworkRule |
Remove network rules. |
Disaster Recovery Module
Az.RecoveryServices, Az.SiteRecovery, plus related Services for failover patterns
|
Command |
Explanation |
|
New-AzRecoveryServicesVault |
Create a Recovery Services Vault. |
|
Get-AzRecoveryServicesVault |
Retrieve vault(s). |
|
Set-AzRecoveryServicesVaultContext |
Set the vault context for subsequent backup and ASR cmdlets. |
|
Get-AzRecoveryServicesBackupProtectionPolicy |
List backup policies. |
|
New-AzRecoveryServicesBackupProtectionPolicy |
Create a backup policy (workload dependent). |
|
Enable-AzRecoveryServicesBackupProtection |
Enable backup for a protected item under a policy. |
|
Get-AzRecoveryServicesBackupItem |
List protected backup items. |
|
Backup-AzRecoveryServicesBackupItem |
Trigger an on-demand backup. |
|
Get-AzRecoveryServicesBackupJob |
View backup jobs and status. |
|
Stop-AzRecoveryServicesBackupJob |
Stop a running backup job where supported. |
|
New-AzRecoveryServicesAsrFabric |
Create or register an ASR fabric (provider scenario dependent). |
|
Get-AzRecoveryServicesAsrFabric |
Retrieve ASR fabric objects. |
|
New-AzRecoveryServicesAsrProtectionContainer |
Create protection container. |
|
Get-AzRecoveryServicesAsrProtectionContainer |
Retrieve protection containers. |
|
New-AzRecoveryServicesAsrReplicationPolicy |
Create replication policy for ASR. |
|
Get-AzRecoveryServicesAsrReplicationPolicy |
Retrieve replication policies. |
|
New-AzRecoveryServicesAsrProtectionContainerMapping |
Map containers using replication policy. |
|
Start-AzRecoveryServicesAsrTestFailoverJob |
Perform ASR test failover. |
|
Start-AzRecoveryServicesAsrUnplannedFailoverJob |
Trigger unplanned failover (disaster scenario). |
|
Start-AzRecoveryServicesAsrPlannedFailoverJob |
Trigger planned failover (maintenance scenario). |
|
Start-AzRecoveryServicesAsrCommitFailoverJob |
Commit failover once validated. |
|
Start-AzRecoveryServicesAsrReprotectJob |
Re-protect after failover for failback readiness. |
|
Get-AzTrafficManagerProfile |
Retrieve Traffic Manager profiles used for DR failover. |
|
Set-AzTrafficManagerProfile |
Modify Traffic Manager configuration (endpoints, routing). |
|
Get-AzFrontDoor or Get-AzCdnFrontDoorProfile |
Retrieve Front Door configuration (module depends on SKU). |
|
Get-AzMonitorMetricAlertRuleV2 |
Retrieve metric alert rules used to detect outages and trigger response. |
|
Add-AzMetricAlertRuleV2 |
Create metric alert rules for DR monitoring and escalation. |
Vault Management
|
Command |
Explanation |
|
New-AzRecoveryServicesVault |
Create a new Recovery Services Vault |
|
Get-AzRecoveryServicesVault |
Retrieve vault(s) |
|
Set-AzRecoveryServicesVaultContext |
Set vault context for backup operations |
|
Remove-AzRecoveryServicesVault |
Delete vault (must remove protected items first) |
|
Update-AzRecoveryServicesVault |
Update vault properties |
|
Get-AzRecoveryServicesVaultProperty |
View vault configuration |
|
Set-AzRecoveryServicesVaultProperty |
Modify vault configuration |
|
Set-AzRecoveryServicesBackupProperty |
Configure vault-level backup settings |
Vault Security and Storage Settings
|
Command |
Explanation |
|
Set-AzRecoveryServicesVaultProperty -BackupStorageRedundancy |
Configure LRS or GRS |
|
Get-AzRecoveryServicesVaultProperty |
View redundancy configuration |
|
Set-AzRecoveryServicesVaultProperty -SoftDeleteFeatureState |
Enable or disable soft delete |
|
Set-AzRecoveryServicesVaultProperty -ImmutabilityState |
Configure immutable vault |
Backup Policy Management
|
Command |
Explanation |
|
Get-AzRecoveryServicesBackupProtectionPolicy |
List backup policies |
|
New-AzRecoveryServicesBackupProtectionPolicy |
Create new backup policy |
|
Set-AzRecoveryServicesBackupProtectionPolicy |
Modify policy settings |
|
Remove-AzRecoveryServicesBackupProtectionPolicy |
Delete backup policy |
|
Get-AzRecoveryServicesBackupSchedulePolicyObject |
Create schedule policy object |
|
Get-AzRecoveryServicesBackupRetentionPolicyObject |
Create retention policy object |
Azure VM Backup
|
Command |
Explanation |
|
Enable-AzRecoveryServicesBackupProtection |
Enable VM backup |
|
Disable-AzRecoveryServicesBackupProtection |
Disable VM backup |
|
Get-AzRecoveryServicesBackupItem |
Retrieve protected VM(s) |
|
Backup-AzRecoveryServicesBackupItem |
Trigger on-demand backup |
|
Get-AzRecoveryServicesBackupRecoveryPoint |
List available restore points |
|
Restore-AzRecoveryServicesBackupItem |
Restore VM or disk |
|
Get-AzRecoveryServicesBackupJob |
Monitor backup jobs |
|
Stop-AzRecoveryServicesBackupJob |
Cancel backup job |
Restore Operations (VM)
|
Command |
Explanation |
|
Restore-AzRecoveryServicesBackupItem -RestoreAsUnmanagedDisks |
Restore as disks |
|
Restore-AzRecoveryServicesBackupItem -RestoreToStagingStorageAccount |
Restore to staging storage |
|
Restore-AzRecoveryServicesBackupItem -RestoreToAlternateLocation |
Restore to different resource group |
|
Get-AzRecoveryServicesBackupRecoveryConfig |
Generate recovery configuration |
Azure Files Backup
|
Command |
Explanation |
|
Enable-AzRecoveryServicesBackupProtection |
Enable backup for file share |
|
Get-AzRecoveryServicesBackupContainer |
List storage account containers |
|
Get-AzRecoveryServicesBackupItem |
Retrieve protected file shares |
|
Restore-AzRecoveryServicesBackupItem |
Restore file share or individual file |
|
Get-AzRecoveryServicesBackupRecoveryPoint |
Retrieve file share restore points |
Azure SQL in Azure VM Backup
|
Command |
Explanation |
|
Get-AzRecoveryServicesBackupContainer -ContainerType AzureVMAppContainer |
Discover SQL workloads |
|
Enable-AzRecoveryServicesBackupProtection |
Enable SQL database backup |
|
Get-AzRecoveryServicesBackupItem -WorkloadType MSSQL |
Retrieve protected databases |
|
Backup-AzRecoveryServicesBackupItem |
Trigger SQL backup |
|
Restore-AzRecoveryServicesBackupItem |
Restore SQL database |
Backup Jobs and Monitoring
|
Command |
Explanation |
|
Get-AzRecoveryServicesBackupJob |
List backup jobs |
|
Get-AzRecoveryServicesBackupJobDetails |
Get detailed job information |
|
Stop-AzRecoveryServicesBackupJob |
Stop running job |
|
Get-AzRecoveryServicesBackupStatus |
Check backup protection status |
Container and Item Discovery
|
Command |
Explanation |
|
Get-AzRecoveryServicesBackupContainer |
List registered containers |
|
Register-AzRecoveryServicesBackupContainer |
Register container for backup |
|
Unregister-AzRecoveryServicesBackupContainer |
Remove container registration |
Cross-Region Restore
|
Command |
Explanation |
|
Get-AzRecoveryServicesBackupRecoveryPoint -UseSecondaryRegion |
Retrieve recovery points from secondary region |
|
Restore-AzRecoveryServicesBackupItem -UseSecondaryRegion |
Restore from secondary region |
Soft Delete and Immutability
|
Command |
Explanation |
|
Undo-AzRecoveryServicesBackupItemDeletion |
Recover soft-deleted item |
|
Get-AzRecoveryServicesVaultProperty |
Verify immutability state |
If you would like to explore this topic in greater depth, see my book Mastering PowerShell: From Basics to Automation Excellence, where the subject is covered in much greater detail. The guide expands on the concepts discussed in this article with deeper architectural explanations, service capabilities, and step-by-step implementation using Azure Portal, Azure CLI, Terraform, and Bicep. It also includes real-world deployment, configuration, and troubleshooting scenarios designed for IT professionals, administrators, and cloud architects. All of my books include detailed architectural diagrams and practical deployment examples using PowerShell, Azure CLI, Terraform, and Bicep.
0 comments