There are some limits for creating resources in an azure subscription, as outlined in the Azure documentation - https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits
How to programmatically get the limits from azure cli/sdk?
Here are few commands to check Resource Limits
az --version helps you to find the installed version.
az login to log in to Azure.
az network list-usages --location [--subscription] List the number of network resources in a region that is used against a subscription quota.
For more information, you can check this Document.
Here are few commands to check Subscription Limits
az account show To view which Azure Subscription.
az account list To view a list of all the Azure Subscriptions.
az account set --subscription "Company Subscription" To set the Azure Subscription you want to target.
For more information, you can refer to this Blog
Related
I have a free trial subscription on Azure:
$ az account subscription list
Command group 'account subscription' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
[
{
"authorizationSource": "RoleBased",
"displayName": "Azure subscription 1",
"id": "/subscriptions/fffffff-ffff-ffff-ffff-ffffffffffff",
"state": "Enabled",
"subscriptionId": "fffffff-ffff-ffff-ffff-ffffffffffff",
"subscriptionPolicies": {
"locationPlacementId": "Public_2014-09-01",
"quotaId": "FreeTrial_2014-09-01",
"spendingLimit": "On"
}
}
]
but when I execute the command (list MariaDB SKUs) I get the following error:
$ az mariadb server list-skus --location eastus
(SubscriptionNotExists) Subscription 'fffffff-ffff-ffff-ffff-ffffffffffff' does not exist.
Code: SubscriptionNotExists
Message: Subscription 'fffffff-ffff-ffff-ffff-ffffffffffff' does not exist.
Works fine under my other account where I have a pay-as-you-go subscription. Same thing with the go SDK.
If the free trial is the issue it would be great to document it somewhere.
Turns out you have to register provider resources for your subscription before you can use them. For some reason MariaDB was already registered for one of my accounts but not for the other. The error SubscriptionNotExists is extremely confusing in that regard.
To list the skus list Mariadb Please make sure that you have logged in successfully using az login cmdlet .
Then try to execute the following command which you are using
az mariadb server list-skus --location eastus
OUTPUT FOR REFERENCE:-
NOTE:- Try to close and reopen your terminal and use az login and choose your account in which you have free trail subscription then use the command.
As i don't have any free trial subscription to test it on my environment .
AFAIK, we can use it For free trail account as well based on the below screenshot and also can Check this Microsoft Document :
For more details please refer the below links for Azure free trial supported resources:
MICROSOFT DOCUMENTATION:- Azure free account FAQ ,Azure subscription and service limits, quotas, and constraints & az mariadb server list-skus
Using one session of an azure sandbox which lasts for 4 hours. Once one session gets expired, I've created a new sandbox to continue practicing exercises from the Azure portal.
After execuing command: az account set --subscription "Concierge Subscription" I am getting below error:
However, In Azure portal there is just one "Concierge Subscription". How can I close other subscription of the same name?
I think is it just the local cache of AZ cli that is not refreshed. The new subscriptions keeps adding, without removing the expired one.
Run az account list --refresh, this will remove the expired ones.
The --subscription parameter accepts either the Name or ID of a given subscription.
You can get navigate to Subscriptions blade on Azure Portal to get the Subscription ID of the current active Sandbox subscription, and then set that subscription to be the current active subscription using:
az account set -s <subscription-id>
Azure CLI Command reference: az account
I created a keyvault and secrets from the MS docs and confirmed that I can list the keyvault and secrets from an Azure CLI session. When somebody else granted my access to another keyvault in our Azure tenant, I am not able to list that vault from the Azure CLI.
The CLI command I am using is : 'az keyvault list'
I have compared the individual policies applied in two vaults, and have 'owner' role access to both. I can see the vaults and secrets when I use a browser to navigate to the azure portal.
Thanks in advance for any suggestions on what I should check.
I suppose the keyvault is in another subscription in your Azure AD tenant, in Azure CLI, you could just use az keyvault list to list the keyvaults in the default subscription, if you want to do operations in another subscription, you need to set the subscription with it.
Navigate to the keyvault which you want to list in the portal, copy the Subscription ID like below.
Then run the command below before you list the keyvaults.
az account set --subscription <Subscription ID>
az keyvault list
In my case, my login had expired, but unlike with other commands, I did not get a warning to that effect. It simply returned the [] empty list.
Renewing my login with az login allowed az keyvault list to work.
In my case I had to go to the subscription / RG where the key-vault was and give the user / service principal the Reader role. You can do that by clicking on the subscription/RG and then selecting "Access Control (IAM)" on the left side. And then add the role assignment. Instructions - https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current
I am trying to create a nested ARM-template to deploy resources to subscriptions in different Azure AD tenants.
For guidance I used this site: Deploy Azure resources to more than one subscription or resource group
There it says "If the specified subscription exists in a different Azure Active Directory tenant, you must add guest users from another directory." which leads me to believe that this should be possible.
I have an account in Tenant A (6f16...) which is Azure AD Global Administrator and Contributor to the CSP Subscription (04c5...) which is assigned to Tenant A.
I have added this account in Tenant B (1ffc...) as "New guest user" and assigned him as Contributor to the Pay-As-You-Go Subscription (ebda...) and also made him Global Administrator in the Azure AD from Tenant B.
To keep it simple I used the first example template on the site which should deploy two storage accounts in two different resource groups and two different subscriptions.
In the parameters file I indicated for 'secondSubscriptionID' the subscription ID (ebda...) assigned to Tenant B (1ffc...) and an existing resource group in that subscription for 'secondResourceGroup':
...
"secondResourceGroup": {
"value": "existing-resource-group-in-Ten-B" },
"secondSubscriptionID": {
"value": "ebda..." },
...
I am trying to deploy it through Azure CLI:
az login -u <emailaddress> -p <pw>
az account set --subscription 04c5...
az group deployment create --resource-group "existing-resource-group-in-Ten-A" `
--template-file stor.temp.json --parameters #stor.para.json
I receive this error message:
Azure Error: CrossTenantDeploymentNotPermitted
Message: The template deployment tries to deploy resources to subscription 'ebda...'.
However, the current tenant '6f16...' is not authorized to
deploy resources to that subscription.
Please see https://aka.ms/arm-template/#resources for usage details.
I received the same error message in the Azure Portal or with PowerShell. I also tried it with with other tenants/subscriptions.
Am I missing some permissions? Is this even supported?
Is there a better way to deploy resources to multiple tenants than this one?
You login into tenant A and set subscription to 0c45 to tenant A but
you reference subscription ebda in tenant B in your ARM Templates.
You have to login and set Tenant B / subscription ebda.
https://github.com/MicrosoftDocs/azure-docs-cli/issues/667
az login --username <myEmailAddress> -t <tenantIDofTenantB>
az account set --subscription <TenantBSubscriptionId>
az group deployment create ......
Currently im trying to create dynamic environments via AzureDevops.
One of these steps to achieve this is to take a copy of our production databases and place them in a temp resource group (Production Subscription) and then move the sql server and associated databases to our non-production subscription. From here we then create the web apps and deploy code.
When i run this via Az Cli i am able to move the resources with the following
SQLSERVERID=$(az resource show -g $RSGNAMETEMP -n $SQLSERVERNAME --resource-type "Microsoft.Sql/servers" --query id --output tsv)
az resource move --destination-group $RSGNAME --ids $SQLSERVERID --destination-subscription-id $SANDBOXSUBSCRIPTIONID
However when i run this via AzureDevops i get the following error
ERROR: The client (...) with object id (...) has permission to perform action on scope however, it does not have permission to perform action (...) on the linked scope(s).
I believe this problem is happening when you configure the AZ Cli step in AzureDevops you select the Subscription from the drop down list. The account / service principal only has access rights to that specific subscription and not to multiple. Is it possible to configure a service principal (that can be used in AzureDevops) that can connect to multiple subscriptions?
Yes, just go to Azure portal, navigate to the desired subscription blade, go to Access Control, press + sigh at the top and add your principal as a contributor to the subscription.
to find service principal name use this:
Click Manage link in the Azure Subscription field in your VSTS job, it will navigate you to a new blade. Click Manage Service Principal there. It will take you to the application page in Azure AD. After that you can copy name under Managed application in local directory field and use that name to grant it Key Vault permissions.