How to manage Azure subscriptions with the Azure CLI
The Azure CLI helps you manage your Azure subscription, create management groups, and lock subscriptions. You might have multiple subscriptions within Azure. You can be part of more than one organization or your organization might divide access to certain resources across groupings. The Azure CLI supports selecting a subscription both globally and per command.
For detailed information on subscriptions, billing, and cost management, see the billing and cost management documentation.
Tenants, users, and subscriptions
A tenant is the Azure Active Directory entity that encompasses a whole organization. A tenant has one or more subscription and user. A user is an individual and is associated with only one tenant, the organization that they belong to. Users are those accounts that sign in to Azure to create, manage, and use resources. A user may have access to multiple subscriptions, which are the agreements with Microsoft to use cloud services, including Azure. Every resource is associated with a subscription.
- To learn more about the differences between tenants, users, and subscriptions, see the Azure cloud terminology dictionary.
- To learn how to add a new subscription to your Azure Active Directory tenant, see Associate or add an Azure subscription to your Azure Active Directory tenant.
- To learn how to sign in to a specific tenant, see Sign in with the Azure CLI.
Commands in an Azure subscription
Many Azure CLI commands act within a subscription. You can always specify which subscription to work in by using the subscription parameter in your command. That parameter is optional. If you don't specify a subscription, the command uses your current, active subscription.
# get the current default subscription using show az account show --output table # get the current default subscription using list az account list --query "[?isDefault]" # get a list of subscriptions except for the default subscription az account list --query "[?isDefault == \`false\`]" # get the details of a specific subscription az account show --subscription MySubscriptionName
--output parameter is a global parameter, available for all commands. The table value presents output in a friendly format. For more information, see Output formats for Azure CLI commands.
Subscriptions contain resource groups. An Azure resource group is a container that holds related resources for an Azure solution. If your command works with resources in your active subscription, you don't need to specify
This command creates a storage account in the specified resource group:
az storage account create --resource-group StorageGroups --name storage136 \ --location eastus --sku Standard_LRS
If the storage group isn't part of your current active subscription, this command fails.
If necessary, change the active subscription, as described in the next section, or specify the subscription in the command:
az storage account create --resource-group StorageGroups --subscription "My Demos" \ --name storage136 --location eastus --sku Standard_LRS
Change the active subscription
You can change your active subscription by using the az account set command.
Get a list of your subscriptions with the az account list command:
az account list --output table
This command lists all the subscriptions you can access. Your active subscription is marked as
True in the
IsDefault column. If you don't see a subscription you expect, add the
--refresh parameter to get the most current list of subscriptions.
To switch to a different subscription, use az account set with the subscription ID or name you want to switch to.
az account set --subscription "My Demos"
Your subscriptions have both a name and an ID, which is a GUID. You can use either for these commands. If you use a name that includes spaces, use quotation marks.
If you run the az account list command again, the
IsDefault column shows your current active subscription.
Create Azure management groups
Azure management groups contain subscriptions. Management groups provide a way to manage access, policies, and compliance for those subscriptions. For more information, see What are Azure management groups.
Use the az account management-group commands to create and manage Azure Management Groups.
You can create a management group for several of your subscriptions by using the az account management-group create command:
az account management-group create --name Contoso01
To see all your management groups, use the az account management-group list command:
az account management-group list
Add subscriptions to your new group by using the az account management-group subscription add command:
az account management-group subscription add --name Contoso01 --subscription "My Demos" az account management-group subscription add --name Contoso01 --subscription "My Second Demos"
To remove a subscription, use the az account management-group subscription remove command:
az account management-group subscription remove --name Contoso01 --subscription "My Demos"
To remove a management group, run the az account management-group delete command:
az account management-group delete --name Contoso01
Removing a subscription or deleting a management group doesn't delete or deactivate a subscription.
Set an Azure subscription lock
As an administrator, you may need to lock a subscription to prevent users from deleting or modifying it. For more information, see Lock resources to prevent unexpected changes.
az account lock create --name "Cannot delete subscription" --lock-type CanNotDelete
You need to have appropriate permissions to create or change locks.
To see the current locks on your subscription, use the az account lock list command:
az account lock list --output table
If you make an account read-only, the result resembles assigning permissions of the Reader role to all users. To learn about setting permissions for individual users and roles, see Add or remove Azure role assignments using Azure CLI.
To see details for a lock, use the az account lock show command:
az account lock show --name "Cannot delete subscription"
You can remove a lock by using the az account lock delete command:
az account lock delete --name "Cannot delete subscription"