We Keep Coding

Azure CLI Query to exclude certain Tag

In my specific case I have an Azure subscription with many resources and some are managed by Pulumi or Terraform. They were therefore tagged with "ManagedBy:Pulumi".
How do I use the CLI to get only the resources that do not have the tag "ManagedBy"?

To get all resources in an Azure subscription that do not have a specific tag, you can use the following Azure CLI command:
az resource list --query "[?tags.['<tagName>'] == null]"
In my case:
az resource list --query "[?tags.['ManagedBy'] == null]"
Additionally you can filter the information you want as follows:
az resource list --query "[?tags.['ManagedBy'] == null].{type:type, name:name, id:id}"
Reference:
https://learn.microsoft.com/en-us/cli/azure/query-azure-cli?tabs=concepts%2Cbash

ERROR: The requested resource requires user authentication: https://dev.azure.com/my_org/my_project/_apis/git/repositories

I am logging into az cli using correct token:
echo my_pat | az devops login
But I see the following error while getting the existing repositories in a project:
az repos list --org {ado_org_url} --project {ado_project} --query '[*].name'
ERROR: The requested resource requires user authentication: https://dev.azure.com/my_org/my_project/\_apis/git/repositories
Am I missing any settings while setting up my pat? How can I get rid of this error?

You don't want to use the az devops login if you already set an AZURE_DEVOPS_EXT_PAT Environment Variable. If you not set an AZURE_DEVOPS_EXT_PAT Environment Variable set it first and do your CLI Task.
The az devops commands now enable sign-in with az login, you don't need to give a token if you've already signed in with az login interactively or with a username and password. However, you can't use az login to log in as the service principal. A PAT is required in that case.
If you still need to log in by using az devops login it requires the User Authentication. For that, you have to login using Service Principle
"user": {
"name": "***",
"type": "servicePrincipal"
}
References
How to securely login in Az CLI from a DevOps Pipeline
Fix ERROR: The requested resource requires User Authentication
MSDOC for Azure DevOps CLI sign in with a PAT

Grant permission to pipeline to use a service connection

In my project, I want to create a few AzureRM service connections with different levels of access. I want to allow only certain pipelines to use the service connections. And I am aiming to use API or az devops extension to do this. Portal already allows to choose which pipelines are allowed to use the service connection through service connection security settings.
So far I was able to find the relevant permission in the ServiceEndpoints namespace
Name Permission Description Permission Bit
Use Use Service Connection 1
However, I do not know how to grant the permission to the pipeline. I think i should use 'az devops security permission update' from the extension however can not figure what the subject should be in case of a pipeline. Looking at the output of 'az pipelines build definition show' i do not see any unique identifier for a pipeline and documentation for security permission update says subject should be a user of group.
If i want to use the API, i will need to know how to create the descriptor to pass to Set Access Control Lists.
Any hint is appreciated.

Grant permission to pipeline to use a service connection
According to the document az devops security permission, we could use az devops security permission update to update the azure devops security permission:
az devops security permission update --id
--subject
--token
[--allow-bit]
[--deny-bit]
[--detect {false, true}]
[--merge {false, true}]
[--org]
however can not figure what the subject should be in case of a
pipeline.
As the statement for the Parameters, we could to know:
--subject
User Email ID or Group descriptor.
So, if we update the permission to given user, we just need provide the User Email in above command. If we want to update the permission to given group, we need to provide the Group descriptor.
To get the Group descriptor, we could use the az devops security group list.
You could check this thread for some details.

Update permissions for Azure DevOps group for EventSubscription through Azure CLI?

I've been adding permissions to a custom Azure DevOps Services group through the Azure CLI (az devops version 0.11.0) and I've usually been able to do the following:
az devops security permission namespace list, find namespaceId of specific namespace (like EventSubscription)
Get the Project Admin's descriptor
az devops security permission list --id $namespaceId --subject $projectAdmin.descriptor...
Find an allow bit in the ACES dictionary, find the respective token
az devops security permission update... with the new token
But when I run security permission list for the EventSubscription namespace, it returns with empty JSON for the project admins group so I can't find the token. I've tried "$SUBSCRIPTION" as it looked like what a TFS 2010 user used, but that doesn't work.
Questions:
How can I list tokens on the project admins group for the EventSubscription namespace? I tried to see if tfssecurity would pull anything up, but didn't work. Also tried using Fiddler to see if it would find a token but also nothing. Can't use Fiddler with the UI.
Or what token do I use for Azure DevOps to update the EventSubscription permission for a group?

I tested with EventSubscription namespace id and project admins group descriptor as subject parameters and got the same result as you.
$env:AZURE_DEVOPS_EXT_PAT = 'ckdhd6wuma5uw2h35dv37pgdum5eyjviqneineixxxxx'
$output = az devops security permission namespace list | ConvertTo-Json -Depth 100
#get descriptor
$output2 = az devops security group list --scope project | ConvertTo-Json -Depth 100
#eventSubscription namespaceId: 58b176e7-3411-457a-89d0-c6xxx/ Project namespaceId:52d39943-cb85-4d7f-8fa8-c6xxx
$output3 = az devops security permission list --namespace-id 58b176e7-3411-457a-89d0-c6xxxx --subject vssgp.Uy0xLTktMTU1MTM3NDI0NS00MjQ3MDQ2OTMyLTI2ODA1Nzg2MjktMjkxMzgyMjE4MC0yNDQ0MjYxxxxx | ConvertTo-Json -Depth 100
Write-Host $output3
But when I tested with Project namespace id and project admins group descriptor, I can get the token normally.
So I think this could be a problem with the association between the EventSubscription namespace and the project admins group descriptor. Can you share the corresponding operation in the UI? This will help me investigate further.

(ResourceGroupNotFound) Resource group '????' could not be found when creating an azure media services account

I'm trying to create a Service Principal account using the instructions here
https://learn.microsoft.com/en-us/azure/media-services/latest/stream-files-tutorial-with-api#examine-the-code-that-uploads-encodes-and-streams
However when I run the command
az ams account sp create --account-name *media_service_account_name* --resource-group *resource_group_name*
Where media_service_account_name is the name shown for the media service I have created and resource_group_name the name of the resource group shown on the same page.
The problem is I get the message ResourceGroupNotFound:
Resource group 'resource_group_name' could not be found.
I just can't see what I am doing wrong. Any help appreciated.

If you have multiple subscriptions, set your subscription first and then try:
To list all subscriptions - az account list --output table
To set your subscription - az account set --subscription <subscription-id>

I had the same issue and verified the subscription with az account show, but what I was missing is that I was working in powershell and needed to set the correct subscription in powershell.
Verify context: Get-Azcontext
Set context: Set-Azcontext <subscription_id>

You may have multiple subscriptions. Set the subscription to default which you want to use in CLI.
Reference: https://learn.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli?view=azure-cli-latest

Kindly follow these steps to get over an above error:
az login
It will ask you to provide credentials
az account list --o table // Will list all subscription
Set your subscription on which you want to execute query
3. az account set --subscription "VS Subscription"
Hope it will help

I was running a task: AzureCLI#2 in azure pipeline for creating an azure vwan.
I put az account set --subscription xxxxxxx-xxxx-xxx-xxxx-xxxxxxxxx but it still didn't work and was throwing:
ERROR: (ResourceGroupNotFound) Resource group 'test-rg' could not be found.
Then I added --subscription "xxxxxxx-xxxx-xxx-xxxx-xxxxxxxxx" at the end of he az network vwan create even though it wasn't shown in the documentation.
Here's how I did:
az network vwan create --name testwan01 --resource-group test-rg --subscription "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --type Standard
Hope it helps if you are running it from some orchestration tools like Jenkins or Azure pipelines.

Keep in mind that Resource Groups in Azure are things that you create, so the article was only providing an example of a Resource Group name.
The command to create the service principal expects you to use the resource group that you used to create your media service account.
az ams account sp create --account-name amsaccount --resource-group **amsResourceGroup**
Make sure that you are using the right resource group name that you used when you created your Media Services account first, and use a unique named one in the same region as your account. I usually call az group create before creating a new account to put it into it's own Resource Group along with the storage account I create for it.
Example
Create a new resource group named "MyResourceGroup" in the West US region.
az group create -l westus -n
Hope that helps!