Whether you’re planning your first cloud migration or looking to evolve an already migrated infrastructure, this session will provide you with insights to transform migration into an opportunity for innovation.

Non vedo l’ora!

Il tema?

Infrastructure as Code su Azure: Bicep, Terraform, ARM templates, tool emergenti. Quale scegliere e perché? Facciamo chiarezza.

In questa sessione metterò ordine nel panorama IaC su Azure con un approccio pragmatico e senza evangelizzazioni. Ti aiuterò a capire quale strumento ha senso per il tuo contesto, evitando sia l’hype che le guerre di religione e condividendo indicazioni concrete per partire col piede giusto o per migliorare progetti esistenti.

Clicca qui per iscriverti all’evento (gratuito).

Con questo crossover abbiamo chiuso l’anno dei Meetup.

Abbiamo parlato delle novità che ci ha portato questo 2025 e di cosa ci è, o non ci è, piaciuto.

Prerequisites

• EntraID Global Administrator role;
• Microsoft Graph PowerShell SDK;
• An Azure Automation Account with an associated system managed identity;
• PowerShell v7.2;
• An Azure Storage Account with a Fileshare to persist audit logs;
• The Automation Account’s identity must be assigned with the following RBAC roles on storage account:
  • Reader and data access;
  • Storage File Data SMB Share Contributor.
• Microsoft Fabric audit logs must be enabled, read more.

Creation Of A Role Group In Exchange Online

IMPORTANT: Access to enable/disable auditing and access to audit cmdlets requires permissions from the Exchange Admin center.

The access to Exchange Online and his commandlets must be restricted to reduce the risk of data compromise. To do so, it is necessary to create a role group in Exchange Online Admin center that will give the Automation Account the permission to read the audit logs.

To create a role group in Exchange Online, log in to the Exchange Admin Center and from the “admin roles” page, create a role group as follows:

Assign “Audit Logs Reader” Role Group To The Automation Account’s System Managed Identity

Connect-MgGraph -Scopes AppRoleAssignment.ReadWrite.All,Application.Read.All
 
$EntraIDApp = Get-MgServicePrincipal -Filter "DisplayName eq '<automation_account_name>'"

Connect-ExchangeOnline -UserPrincipalName <global_admin_user>

New-ServicePrincipal -DisplayName "<automation_account_name>" -AppId "<app_ID>" -ServiceId $ EntraIDApp.Id
 
Add-RoleGroupMember -Identity "Audit Logs Reader" -Member "<app_ID>"

Assign The Exchange.ManageAsApp EntraID Permission To The Automation Account’s System Managed Identity

To allow the Azure Automation Account to access resources in Exchange, assign the following EntraID Application API permission:

Office 365 Exchange Online > Exchange.ManageAsApp

Connect-MgGraph -Scopes AppRoleAssignment.ReadWrite.All,Application.Read.All

$TenantID="<tenant_id>"
$DisplayNameOfMSI="<automation_account_name>"
$Office365ExchangeOnlineAppId = "00000002-0000-0ff1-ce00-000000000000" 
$ExchangeManageAsAppRoleID = "dc50a0fb-09a3-484d-be87-e023b12c6440" 

$MSI = (Get-MgServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'").Id
$ResourceID = (Get-MgServicePrincipal -Filter "AppId eq '$Office365ExchangeOnlineAppId").Id

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MSI -PrincipalId $MSI -AppRoleId $ExchangeManageAsAppRoleID -ResourceId $ResourceID

Use A PowerShell Runbook In Azure Automation Account To Extract PowerBI Audit Logs

To implement the runbook, I used the script you find on Microsoft Learn as a basis.

Here are the changes I made:

• Added parameters to execute as runbook in Azure Automation Account;
• Connection to Exchange Online;
• Disconnection from Exchange Online without a confirmation prompt;
• Added retry logic;
• Added logic to save export file to Azure Files.

[CmdletBinding()]
param(
 [Parameter(Mandatory=$False)]
 [string]$TenantID,
 [Parameter(Mandatory=$True)]
 [ValidateNotNullOrEmpty()]
 [string]$SubscriptionID,
 [Parameter(Mandatory=$True)]
 [ValidateNotNullOrEmpty()]
 [string]$ResourceGroupName,
 [Parameter(Mandatory=$True)]
 [ValidateNotNullOrEmpty()]
 [string]$StorageAccountName,
 [Parameter(Mandatory=$True)]
 [ValidateNotNullOrEmpty()]
 [string]$FileShareName,
 [Parameter(Mandatory=$True)]
 [ValidateNotNullOrEmpty()]
 [string]$FolderName,
 [Parameter(Mandatory=$False)]
 [ValidateNotNullOrEmpty()]
 [string]$RecordType = "PowerBIAudit"
)
$ErrorActionPreference = "Stop"

$startTime = (Get-Date)
filter timestamp {"[$(Get-Date -Format G)]: $_"}
Write-Output "Script started" | timestamp
$Stoploop = $false
$Retrycount = 0
$MaxRetry = 3
$WaitTimeInSeconds = 30
$outputFile = ""
do {
    try {
        Import-Module ExchangeOnlineManagement

        Connect-ExchangeOnline -ManagedIdentity -Organization "<organization_name>"

        [DateTime]$start = [DateTime]::UtcNow.AddDays(-1).Date
        [DateTime]$end = $start.Date.AddHours(23).AddMinutes(59).AddSeconds(59).AddMilliseconds(999)
        $resultSize = 5000
        $intervalMinutes = 60
        $year = $startTime.ToString("yyyy")
        $month = $startTime.ToString("MM")
        $day = $startTime.ToString("dd")
        $outputFile = "$env:TEMP\AuditLogRecords_$year$month$day.csv"

        #Start script
        [DateTime]$currentStart = $start
        [DateTime]$currentEnd = $end

        Write-Output "Retrieving audit records for the date range between $($start) and $($end), RecordType=$RecordType, ResultsSize=$resultSize" | timestamp

        $totalCount = 0
        while ($true)
        {
            $currentEnd = $currentStart.AddMinutes($intervalMinutes)
            If ($currentEnd -gt $end)
            {
                $currentEnd = $end
            }

            If ($currentStart -eq $currentEnd)
            {
                break
            }

            $sessionID = [Guid]::NewGuid().ToString() + "_" +  "ExtractLogs" + (Get-Date).ToString("yyyyMMddHHmmssfff")
            Write-Output "Retrieving audit records for activities performed between $($currentStart) and $($currentEnd)" | timestamp
            $currentCount = 0
            do
            {
              $results = Search-UnifiedAuditLog -StartDate $currentStart -EndDate $currentEnd -RecordType $RecordType -SessionId $sessionID -SessionCommand ReturnLargeSet -ResultSize $resultSize
              if (($results | Measure-Object).Count -ne 0)
              {
                  $results | export-csv -Path $outputFile -Append -NoTypeInformation
                  $currentTotal = $results[0].ResultCount
                  $totalCount += $results.Count
                  $currentCount += $results.Count
                  if ($currentTotal -eq $results[$results.Count - 1].ResultIndex)
                  {
                      Write-Output "Successfully retrieved $($currentTotal) audit records for the current time range. Moving on to the next interval."
                      ""
                      break
                  }
              }    
            }
            while (($results | Measure-Object).Count -ne 0)
            $currentStart = $currentEnd
        }

        #Silently disconnect from Exchange Online without a confirmation prompt
        Disconnect-ExchangeOnline -Confirm:$false

        Write-Output "Script complete! Finished retrieving audit records for the date range between $($start) and $($end). Total count: $totalCount" | timestamp
        If($totalCount -gt 0) {
            $directoryPath = "$FolderName/$year-$month-$day"
            $FileName = "auditLogs.csv"
            
            If ([string]::IsNullOrEmpty($TenantID)) {
                $TenantID = Get-AutomationVariable -Name "DefaultTenantId"
            }

            Write-Output "Logging in to Azure using Automation Account identity" | timestamp
            Connect-AzAccount -Identity -Tenant $TenantID -Subscription $SubscriptionID

            Write-Output "Upload files to file share" | timestamp  

            $ctx = (Get-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName).Context

            $folderExists = $false
            try {
                Get-AzStorageFile -Context $ctx -ShareName $FileShareName -Path $directoryPath
                $folderExists = $true
                Write-Output "Directory $directoryPath already exists." | timestamp
            }
            catch {
                Write-Output "Directory $directoryPath does not exist, creating it..." | timestamp
                $folderExists = $false
            }

            if (-not $folderExists) {
                New-AzStorageDirectory -Context $ctx -ShareName $FileShareName -Path $directoryPath
            }

            Set-AzStorageFileContent -Context $ctx -ShareName $FileShareName -Source $outputFile -Path "$directoryPath/$FileName" -Force
        }

        $Stoploop = $true
    }
    catch {
        if ($Retrycount -gt $MaxRetry)
        {
            Write-Output "Export failed $MaxRetry times and we will not try again." | timestamp
            $Stoploop = $true
            Write-Error -Message $_.Exception | timestamp
            throw $_.Exception
        }
        else  
        {
            Write-Output -Message $_.Exception.Message | timestamp
            Write-Output "Export failed. Retrying in $WaitTimeInSeconds seconds..." | timestamp
            Start-Sleep -Seconds $WaitTimeInSeconds
            $Retrycount = $Retrycount + 1
        }
    }
    finally{
        if (Test-Path $outputFile) {
            Remove-Item -Path $outputFile -Force
        }
    }
}
While ($Stoploop -eq $false)

$duration = NEW-TIMESPAN –Start $startTime –End (Get-Date)
Write-Output "Done in $([int]$duration.TotalMinutes) minute(s) and $([int]$duration.Seconds) second(s)" | timestamp

Important Notes

• You can retrieve audit logs through the Office 365 Management Activity API or the audit log search tool in the Microsoft Purview portal;
• This runbook extracts sensitive data, which must be managed carefully, especially when used in an enterprise environment;
• Access to Exchange Online Management PowerShell module must be controlled and limited. It is good practice to disable EXO PowerShell module on accounts that do not need to use them.

Here is how to disable Exchange Online PowerShell module access for users who don’t have any directory roles (admin roles) in Microsoft 365:

Connect-MgGraph

Get-MgUser | ForEach-Object {
 if (-not (Get-MgUserMemberOf -UserId $_.UserPrincipalName | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.directoryRole' })) {
    Set-User -Identity $_.UserPrincipalName -EXOModuleEnabled $false
  }
}

Prerequisites

• Visual Studio Code with Azure Resources extension;
• A Blob triggered function;
• An Azure Storage Account with a Blob container;
• An Event Grid system topic of type “Microsoft.Storage.StorageAccounts” with your storage account as source;
• A ngrok account and a ngrok auth token;

Why Use ngrok?

ngrok is needed to expose your locally running Azure Function to the public, so it can be triggered by Azure Event Grid webhooks event handlers.

IMPORTANT: there is already a very detailed tutorial on Microsoft Learn about this topic. As you can see in the official tutorial, you should use Azurite to emulate Azure Storage services when runnig locally. In my case, I had to attach to a real Azure Storage Account to debug an Azure Function that is triggered by blobs created by a third party service. I wanted to make this point because exposing development resources publicly is considered an unsafe practice.

Connect Your ngrok Account

ngrok config add-authtoken <your_auth_token>

Start ngrok

ngrok http 7071

Create An Event Grid Event Subscription Of Type Webhook

In your Event Grid System Topic, create an event subscription with the following characteristics:

• endpoint type: webhook
• event type filter: “Blob Created”
• subscriber endpoint: use the forwarding endpoint provided by ngrok at the previous step to create an event subscription in Event Grid System Topic:

  https://{random_identifier}.ngrok-free.app/runtime/webhooks/EventGrid?functionName={function_name}

Note: for this guide, I created an event subscription with basic settings. Depending on the context, further configuration may be required (see “Filters”, “Additional Features”, “Delivery Properties” blades on event subscription creation wizard in Azure Portal).

IMPORTANT: You have to start your Azure Function locally to create the event subscription.

If the event subscription creation has been completed successfully, you will see a 200 status code in ngrok output:

Start Debugging

Now that you have the event subscription in place, you can finally debug your application.

Use the Azure Resources extension in Visual Studio Code to upload files to the blob container and debug the blob triggered function.

Thank you for reading and happy debugging!

Issue Details

The problem occurs when the nuget.config file contains multiple package sources, such as:

<packageSources>
  <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  <add key="externalSourceThatRequireAuth" value="https://[...]/nuget/v3/index.json"/>
  <add key="Microsoft Visual Studio Offline Packages" value="C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\" />
</packageSources>

When running dotnet restore in .NET 8 with multiple configured NuGet sources, developers encounter the following error:

C:\Program Files\dotnet\sdk\8.0.100\NuGet.targets(156,5): error : Unable to load the service index for source https://[…]/nuget/v3/index.json. C:\Program Files\dotnet\sdk\8.0.100\NuGet.targets(156,5): error : Response status code does not indicate success: 401 (Unauthorized).

I myself have encountered this issue on some customer Azure Devops pipelines and, by force of circumstances, I ended up on the NuGet Github issue 13129.

Workarounds

Couple of workarounds have been identified that successfully resolve the issue:

• Installation of the latest version of Azure Artifact Credential Provider;

• Using VSS_NUGET_EXTERNAL_FEED_ENDPOINTS environment variable for DotNetCoreCLI@2 task in Azure Devops Pipelines.

I chose the second solution, because I wasn’t very confident in updating the Azure artifact credential provider on my customer (a big one) self-hosted Azure Devops Agent, used daily by all development teams of that company.

Using VSS_NUGET_EXTERNAL_FEED_ENDPOINTS environment variable for DotNetCoreCLI@2 task in Azure Devops Pipelines

Here is how to use the VSS_NUGET_EXTERNAL_FEED_ENDPOINTS environment variable in DotNetCoreCLI@2 task.

- task: DotNetCoreCLI@2
  inputs:
    command: "restore"
    projects: '<sln_file_path>'
    feedsToUse: 'config'
    nugetConfigPath: '<nuget_config_path>'
    restoreArguments: '--no-cache'
  env:
    VSS_NUGET_EXTERNAL_FEED_ENDPOINTS: $(FEED_ENDPOINT)

The $(FEED_ENDPOINT) variable holds a secret value.

VSS_NUGET_EXTERNAL_FEED_ENDPOINTS is a JSON that contains an array of service endpoints, usernames and access tokens to authenticate endpoints in nuget.config

{"endpointCredentials": [{"endpoint":"http://example.index.json", "username":"optional", "password":"accesstoken"}]}

As you can see from the example, this solution requires an Azure Devops Personal Access Token. The PAT must have Packaging (Read) permission, to allow consuming packages from the Azure Artifacts feed.

Important Note

Normally, you should not use a PAT to access Azure Devops Artifact feeds in Azure Devops Pipelines. In fact, it is enough that the AZDO project Build Service has read permissions on the feed in order to be able to consume its packages.

What is Azure Application Gateway?

Azure Application Gateway is a powerful load balancing service, but it can be as well one of those services that quietly accumulates costs even when you are not actively using it. If you are running development environments, proof-of-concepts, or seasonal applications, stopping your Application Gateway when it’s not needed can lead to significant cost savings.

How does the Application Gateway impact on Azure costs?

Unlike some Azure services that only charge for usage, Application Gateway has a fixed hourly charge simply for being provisioned. Even if no traffic is flowing through it, you are still paying for the gateway to be available. For the Web Application Firewall V2 tier, this can be around €300 per month (as of August 18, 2025, for the Italy North region) just for having it running.

How to Stop Azure Application Gateway

The Azure Application Gateway cannot be stopped from the Azure portal, you have to use az cli/Powershell or the REST API.

To stop/start an Azure Application Gateway you need to be assigned with the Contributor role.

Using Azure CLI

az network application-gateway stop --ids <agw_id>

or

az network application-gateway stop \
  --name <agw_name> \
  --resource-group <rg_name>

Using PowerShell

$AppGw = Get-AzApplicationGateway -Name <agw_name> -ResourceGroupName <rg_name>
Stop-AzApplicationGateway -ApplicationGateway $AppGw

Important Considerations

What happens when you stop the Azure Application Gateway:

• All traffic routing through the gateway will be interrupted.
• All configurations are preserved, except for VIP, in V1 sku Azure Application Gateways only (for V2 sku, IPs are static).
• The DNS name associated with the Azure Application Gateway does not change.
• PUT operations done on a stopped Azure Application Gateway will trigger a start.

Check Azure Application Gateway operational state in “Properties” blade.

Restart the Azure Application Gateway when you need it

Using Azure CLI

az network application-gateway start --ids <agw_id>

or

az network application-gateway start \
  --name <agw_name> \
  --resource-group <rg_name>

Using PowerShell

$AppGw = Get-AzApplicationGateway -Name <agw_name> -ResourceGroupName <rg_name>
Start-AzApplicationGateway -ApplicationGateway $AppGw

Note that it typically takes a few minutes for the Application Gateway to fully start and begin accepting traffic.

For non-production environments or applications with predictable downtime, stopping Azure Application Gateway is one of the easiest ways to reduce Azure costs. The savings can be substantial, especially when multiplied across multiple environments or extended periods.

You are working on an Azure infrastructure that must implement private connectivity. You create an App Service that needs a Azure Files mounted as local share. Both App Service and Storage account use private connectivity only.

App Service’s virtual network integration is active, so the app can access resources in your virtual network. Inbound private access to the app and to the storage account is granted through private endpoints.

The Problem

You already configured the fileshare mount on App Service, but the app is unable to read from the fileshare.

Why?

The reasons could be many, but one important thing to know is the following: with virtual network integration on your app, the mounted drive uses an RFC1918 IP address and not an IP address from your virtual network. In order to enable routing through your virtual network you have to set the following app setting in App Service’s environment variables:

The Solution

WEBSITE_CONTENTOVERVNET = 1

Sources

• Manage Azure App Service virtual network integration routing

• Mount Azure Storage as a local share in App Service

Why Cap Log Analytics Workspace Ingestion?

Azure charges for Log Analytics Workspace based on the volume of data ingested. Without proper controls, ingestion can spike due to:

• Excessive data from monitored resources
• Misconfigured diagnostic settings
• Unexpected changes in workloads

Capping ingestion helps:

• Prevent budget overruns
• Maintain predictable costs

How to Identify Log Analytics Workspaces Using Azure Resource Graph

Use an Azure Resource Graph query to list all Log Analytics Workspaces and check which of them has capping enabled:

Resources
| where type == "microsoft.operationalinsights/workspaces"
| extend dailyQuotaGb = properties.workspaceCapping.dailyQuotaGb
| project name, location, dailyQuotaGb, subscriptionId, id

Note: records for which ‘dailyQuotaGb’ column has ‘-1’ value have no cap enabled!

You can also create a Log Search Alert to audit Log Analytics Workspace periodically:

arg("").Resources
| where type == "microsoft.operationalinsights/workspaces"
| extend dailyQuotaGb = properties.workspaceCapping.dailyQuotaGb
| project name, location, dailyQuotaGb, subscriptionId, id

To know more about Azure Monitor Alerts with ARG queries see Azure Resource Graph Alerts query quickstart

How To Set Daily Cap in Log Analytics Workspace

In the Azure Portal, go to your instance of Log Analytics Workspace:

• From the left menu, select Usage and estimated costs.
• Select Daily Cap.
• Select ON and set the cap in GB/day (the minimum value is 0.023).

If you prefer to use Azure Resource Manager APIs, here is the link to Log Analytics Workspace’s Create Or Update documentation: Azure Resource Manager - Workspaces - Create Or Update

Monitor Ingestion Volume Using Log Analytics queries

Create a Log Search Alert To track ingestion volume, by querying the Usage table:

Usage
| where IsBillable
| summarize DataGB = sum(Quantity / 1000)
| where DataGB > 1

You can also create a Log Search Alert to notify you when ingestion exceeds a defined limit:

_LogOperation | where Category =~ "Ingestion" | where Detail contains "OverQuota"

Alerts can be configured to run daily and trigger actions like emails or automation.

Capping Log Analytics Workspace ingestion is essential for cost control in Azure Monitor. By combining Azure Resource Graph for discovery and Log Analytics queries for monitoring, you can build a proactive strategy to manage ingestion across your tenant.

Following is the content of my session at the Azure Meetup Casteddu, held a few days ago at Sa Manifattura, Cagliari.

To stay updated about Azure Meetup Casteddu events, I invite you to join the community:

Join Azure Meetup Casteddu on Whatsapp

Join Azure Meetup Casteddu - Meetup page

Follow Azure Meetup Casteddu on LinkedIn

Azure Developer CLI (azd)

The common Azure Development Challenges

Have you ever spent more time configuring Azure deployments than actually writing code?

Well, it happened to me, specially when I was learning Azure.

Before diving into this article, try to answer the following questions:

1. How long does it take you to build a proof of concept?
2. How long does it take you to deploy it on Azure?
3. Can you do it yourself or do you ask your DevOps mates for help?
4. Are you able to implement a robust repeatable deployment process that allows you to share your work with your colleagues so they can work on it and redeploy it in a short time? How long does it take you?

The Problems We All Face

• Infrastructure Setup Complexity: Deep knowledge of Azure services is required;
• Time spent on DevOps/Platform engineering instead of development;
• Deployment pipeline + IAC headaches;
• Environment consistency issues.

All of these are factors that can slow down development and increase the risk of errors.

The Solution: Azure Developer CLI

An open-source tool that accelerates provisioning and deploying app resources on Azure. azd CLI provides best practice, developer-friendly commands that map to key stages in development workflows.

Note: Azure Developer CLI ≠ Azure CLI

source - aka.ms/learn - Compare Azure Developer CLI commands

Features

Supported Azure compute services (host)

source - aka.ms/learn - azd CLI Supported Azure Compute Services

Supported languages and frameworks

source - aka.ms/learn - azd CLI Supported Languages and Framework

Template library - AWESOME-AZD

Develop your own templates

source - aka.ms/learn - Make azd Compatible

Template Structure

• .azure folder - Contains essential Azure configurations and environment variables, such as the location to deploy resources or other subscription information
• infra folder - Contains all of the Bicep or Terraform infrastructure-as-code files for the azd template
• src folder - Contains all of the deployable app source code
• azure.yaml file - A configuration file that defines services and maps them to Azure resources

Azure.yaml Overview

The azure.yaml file describes the application and the Azure resources included in the azd template.

# yaml-language-server: $schema=https://raw.githubusercontent.com/Azure/azure-dev/main/schemas/v1.0/azure.yaml.json

name: todo-csharp-sql
metadata:
  template: todo-csharp-sql@0.0.1-beta
workflows:
  up: 
    steps:
      - azd: provision
      - azd: deploy --all
services:
  web:
    project: ./src/web
    dist: dist
    language: js
    host: appservice
    hooks:
      # Creates a temporary `.env.local` file for the build command. Vite will automatically use it during build.
      # The expected/required values are mapped to the infrastructure outputs.
      # .env.local is ignored by git, so it will not be committed if, for any reason, if deployment fails.
      # see: https://vitejs.dev/guide/env-and-mode
      # Note: Notice that dotenv must be a project dependency for this to work. See package.json.
      prepackage:
        windows:
          shell: pwsh
          run: 'echo "VITE_API_BASE_URL=""$env:API_BASE_URL""" > .env.local ; echo "VITE_APPLICATIONINSIGHTS_CONNECTION_STRING=""$env:APPLICATIONINSIGHTS_CONNECTION_STRING""" >> .env.local'
        posix:
          shell: sh
          run: 'echo VITE_API_BASE_URL=\"$API_BASE_URL\" > .env.local && echo VITE_APPLICATIONINSIGHTS_CONNECTION_STRING=\"$APPLICATIONINSIGHTS_CONNECTION_STRING\" >> .env.local'    
      postdeploy:
        windows:
          shell: pwsh
          run: 'rm .env.local'
        posix:
          shell: sh
          run: 'rm .env.local'
  api:
    project: ./src/api
    language: csharp
    host: appservice

As you can see from the todo-csharp-sql template’s azure.yaml, the template includes two services:

How azd Maps IaC templates and application source code to service in azure.yaml

For what concerns IaC templates, the CLI assumes the IaC module name is the same as the service name, otherwise the module path (relative to the root infra folder) can be specified using the module property at the single service level.

The path to the service source code is specified through the service project property.

For further information, here is the link to azure.yaml schema.

Workflows

azd init workflows

1. Scan current directory: Analyzes existing app codebase to generate appropriate configuration
2. Select a template: Clones and initializes a template from gallery
3. Create a minimal project: Initializes basic azure.yaml file

azd up workflow

1. Packaging: prepares the application code and dependencies
2. Provisioning: creates and configures Azure resources
3. Deployment: deploys the packaged application

azd CLI Zero to Hero in 8 Commands

# 1. Login to Azure
azd auth login

# 2. Initialize from template
azd init --template todo-csharp-sql

# 3. Provision and deploy
azd up

# 4. View your live app
azd show

# 5. Provision infrastructure (Bicep/Terraform)
azd provision

# 6. Make changes to app code and redeploy
azd deploy

# 7. Monitor and troubleshoot
azd monitor

# 8. Delete resources
azd down

Below you will see the commands in action:

azd auth login

Let’s authenticate to Azure:

azd init

Let’s download a template and then initialize the workspace:

Let’s take a look to the .azure folder:

As I wrote before, this folder contains the environment configuration. In this case, only one environment has been created, “demo”, but multiple environments can be created.

azd up

This is my favorite command. Hold on tight!

With a single command we created the infrastructure and deployed the applications.

azd show

Let’s have a look at the apps that we just published:

azd deploy

Let’s publish changes to the webapp:

azd monitor

Finally, we can monitor our application:

TIP: run the following command to go to Application Insights Live Metrics

azd monitor --live

azd down

Here is how to cleanup Azure resources:

CI/CD Pipeline Support

Pipeline Configuration

The azd pipeline config command automates provisioning and deployment of CI/CD pipelines using pipeline definition files included in azd templates.

Supports:

• Azure Pipelines
• Github Actions

Configuration Steps

1. Authentication with Azure
2. CI/CD platform selection
3. Repository configuration
4. Setup of the service principal
5. Setup of the authentication:
   • GitHub: OpenID Connect (OIDC) or client credentials
   • Azure Pipelines: Workload identity federation (OIDC) or client credentials
6. Provisioning of the pipeline files
7. Creation of pipeline variables and secrets
8. Commit and push changes
9. Trigger pipeline runs

azd pipeline config demo

Let’s see the command in action:

Note: As you can see from the first screenshot, I chose Azure Devops provider, so i used a PAT. The PAT must have the following scopes:

• Agent Pools (read, manage)
• Build (read and execute)
• Code (full)
• Project and team (read, write, and manage)
• Release (read, write, execute, and manage)
• Service Connections (read, query, and manage)

Behind the scenes, azd cli created:

• a new Azure Devops Project;
• a GIT repository for the project;
• an Azure resource group
• a managed identity on Azure, using Workload Identity Federation;
• a service connection (with workload identity federation) on Azure Devops, using the managed identity created previously;
• the CI/CD pipeline using the provided pipeline definition (azd-dev.yaml);
• pipeline variables and secrets. IMPORTANT: secrets are stored in Azure Key vault;
• Key vault read access role assignment for the managed identity, so it can retrieve secrets during pipeline execution.

Impressive, right? :)

It would have taken me longer to do the same things without azd cli.

Event Hooks

Hooks can execute custom scripts before and after azd commands or service lifecycle events. They are configured in azure.yaml file with OS-specific support (Windows or Posix).

Command Hooks

• prerestore and postrestore
• preprovision and postprovision
• predeploy and postdeploy
• preup and postup
• predown and postdown

Service Lifecycle Hooks

• prerestore and postrestore
• prebuild and postbuild
• prepackage and postpackage
• predeploy and postdeploy

azd compose (alpha)

azd config set alpha.compose on

I find this command very useful, even though the set of available resources is still limited, because I can create projects from scratch and have a well-set up IAC starter template, in a short time.

azd add

azd add command creates resources without manual IAC templates. Infrastructure state is tracked in-memory.

azd infra gen

azd infra gen or azd infra synth converts state to Bicep files.

azd CLI Extensions (alpha)

azd config set alpha.extensions on

The extensions are modular components that extend azd CLI functionality.

Extension Sources

Extensions are distributed and managed through extension sources (an equivalent concept to NuGet or NPM feeds):

• Official registry: https://aka.ms/azd/extensions/registry
• Development registry: https://aka.ms/azd/extensions/registry/dev

Extension sources are manifest files providing lists of available extensions, following the official schema.

Get Started with azd CLI

Install azd CLI

# Windows 
winget install microsoft.azd 

# macOS 
brew tap azure/azd && brew install azd 

# Linux 
curl -fsSL https://aka.ms/install-azd.sh | bash

Try It Out

azd auth login

azd init --template todo-csharp-sql

azd up

Resources

Documentation: aka.ms/azd

Templates: aka.ms/awesome-azd

Blog: Azure SDK Blog

See you at the next Azure Meetup Casteddu events!

Join Azure Meetup Casteddu on Whatsapp

Join Azure Meetup Casteddu - Meetup page

Follow Azure Meetup Casteddu on LinkedIn