This chapter covers the three primary tools for managing Azure resources: the Azure Portal, Azure CLI, and Azure PowerShell. For AZ-900, understanding the purpose, use cases, and basic operations of each tool is essential—this objective area (Azure Management Governance, 15-20% of the exam) tests your ability to choose the right tool for a given scenario. We'll explore each tool's interface, key commands, and when to use them, with a focus on exam-relevant distinctions.
Jump to a section
Imagine you're the operations manager of a large corporate building with hundreds of rooms, each containing servers, networking gear, and security systems. You have three ways to manage everything. First, there's the building's main control room with a giant touchscreen dashboard showing every floor, every room, every device. You can tap to turn lights on/off, adjust HVAC, or lock doors. That's the Azure Portal—a graphical user interface (GUI) for point-and-click management. Second, you have a radio headset connected to a voice command system. You can say 'lights off floor 3' or 'lock room 204' and it happens instantly. That's Azure CLI—text-based commands you speak (type) to the system. Third, you have a programmable automation script that can run a sequence of actions: 'At 6 PM, lock all doors, dim lights, and power down non-essential servers.' That's Azure PowerShell—a scripting language for repeatable, automated tasks. All three control the same building systems, but each is best for different scenarios: the dashboard for one-off checks, voice commands for quick actions, and scripts for complex, scheduled operations. The key mechanism is that all three communicate via the same underlying Azure Resource Manager API, so changes made in any tool are instantly reflected in the others.
What They Are and the Business Problem They Solve
Azure offers multiple interfaces to interact with its cloud resources. The business problem is simple: different tasks require different levels of control, automation, and user expertise. A junior admin might prefer a visual dashboard for occasional tasks, while a DevOps engineer needs scriptable tools for repeatable deployments. Azure provides three primary management tools: the Azure Portal (GUI), Azure CLI (command-line interface), and Azure PowerShell (scripting environment). All three use the Azure Resource Manager (ARM) API underneath, ensuring consistency.
How They Work: The Common Backend
All three tools communicate with Azure's Resource Manager, a REST API that handles all create, read, update, and delete (CRUD) operations. When you click 'Create VM' in the portal, it sends an HTTP request to ARM. When you run az vm create in CLI, it sends the same type of request. When you run New-AzVm in PowerShell, same thing. ARM then validates the request, checks permissions via Azure RBAC, and provisions the resource. This means changes made in one tool are instantly visible in others—there's no synchronization delay.
Azure Portal: The Graphical Interface
The Azure Portal is a web-based GUI accessible at portal.azure.com. It provides a dashboard with tiles, search bar, and navigation menus. It's ideal for:
One-time or infrequent tasks (e.g., creating a single VM)
Visual monitoring and troubleshooting
Users who prefer point-and-click
Key components: - Dashboard: Customizable landing page with resource tiles - All Services: Menu listing every Azure service - Search Bar: Find resources or services quickly - Resource Groups: Logical containers for resources
Limitations:
Not suited for repetitive tasks (too slow)
Cannot automate complex workflows
Human error prone (clicking wrong options)
Azure CLI: The Command-Line Tool
Azure CLI is a cross-platform command-line tool (installable on Windows, macOS, Linux) that uses az commands. It's designed for:
Quick, scriptable operations
Automation in CI/CD pipelines
Users comfortable with terminals
Key commands:
- az login – authenticate to Azure
- az group create --name MyRG --location eastus – create a resource group
- az vm create --resource-group MyRG --name MyVM --image UbuntuLTS --admin-username azureuser --generate-ssh-keys – create a VM
Azure CLI outputs JSON by default, making it easy to parse with tools like jq. It supports both interactive and non-interactive modes.
Azure PowerShell: The Scripting Environment
Azure PowerShell is a module for PowerShell (Windows, macOS, Linux) that provides cmdlets for Azure management. It's ideal for:
Windows-centric environments
Complex scripting with loops, conditions, and error handling
Users already familiar with PowerShell
Key cmdlets:
- Connect-AzAccount – authenticate
- New-AzResourceGroup -Name MyRG -Location eastus – create a resource group
- New-AzVm -ResourceGroupName MyRG -Name MyVM -Image UbuntuLTS -Credential (Get-Credential) – create a VM
Azure PowerShell outputs .NET objects, which can be piped to other cmdlets for further processing.
Comparison: When to Use Each
| Tool | Best For | Not Ideal For | |------|----------|---------------| | Portal | Visual tasks, learning, one-off changes | Automation, bulk operations | | CLI | Quick tasks, cross-platform scripting | Complex logic, Windows-only environments | | PowerShell | Complex automation, Windows integration | Linux-only users unfamiliar with PowerShell |
Pricing and Limits
All three tools are free to use. You only pay for the Azure resources you create. There are no transaction fees for management operations. However, there are Azure subscription limits (e.g., 250 storage accounts per region per subscription) that apply regardless of tool choice.
On-Premises Equivalent
In an on-premises datacenter, you might use:
A web GUI (like vCenter for VMware) for visual management
SSH or RDP to individual servers for command-line tasks
PowerShell or Bash scripts for automation
Azure's tools are analogous but centralized: all resources are managed through ARM, providing a single pane of glass regardless of where resources are located globally.
Touchpoints with Other Azure Services
Azure Cloud Shell: An in-browser shell that provides Azure CLI and PowerShell pre-installed, accessible from the portal.
Azure Resource Manager Templates (ARM templates): JSON files that define infrastructure as code. Both CLI and PowerShell can deploy templates.
Azure DevOps: Integrates with CLI and PowerShell for CI/CD pipelines.
Log into Azure Portal
Open a web browser and navigate to https://portal.azure.com. Sign in with your Azure account credentials (Microsoft account or work/school account associated with an Azure subscription). After authentication, you'll see the Azure Portal dashboard. The portal uses Azure Active Directory for authentication and supports multi-factor authentication. Behind the scenes, the portal establishes a session and loads your subscriptions, resource groups, and resources. You can customize the dashboard by adding tiles for frequently accessed services.
Create a Resource Group via Portal
In the portal, click 'Resource groups' in the left menu, then click 'Create'. Enter a resource group name (e.g., 'MyResourceGroup'), select a region (e.g., 'East US'), and optionally add tags. Review and create. Azure Resource Manager creates the resource group as a logical container. Resource groups are free; you only pay for resources inside them. The portal sends a PUT request to ARM with the resource group details. ARM validates the request and creates the group, which appears in the list immediately.
Install Azure CLI
Azure CLI can be installed on Windows, macOS, or Linux. For Windows, download the MSI installer from Microsoft's website. For macOS, use Homebrew: `brew install azure-cli`. For Linux, use apt or yum (e.g., `curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash`). After installation, open a terminal and run `az --version` to verify. The CLI is a Python-based tool that communicates with Azure REST APIs. It requires no additional dependencies beyond Python. You can also use Azure Cloud Shell in the portal for a pre-configured environment.
Authenticate and Create a VM with CLI
Run `az login` in the terminal. A browser opens for authentication. After successful login, your subscription information is displayed. To create a VM, use: `az vm create --resource-group MyResourceGroup --name MyVM --image UbuntuLTS --admin-username azureuser --generate-ssh-keys`. The CLI sends a series of REST API calls to ARM: first to create a network interface, public IP, virtual network, and then the VM. The `--generate-ssh-keys` option creates SSH keys automatically. The command outputs JSON with VM details like public IP address.
Use Azure PowerShell to Create Resources
Open PowerShell (Windows) or pwsh (cross-platform). Install the Az module: `Install-Module -Name Az -AllowClobber -Force`. Then connect: `Connect-AzAccount`. To create a resource group: `New-AzResourceGroup -Name MyResourceGroup -Location eastus`. To create a VM: `New-AzVm -ResourceGroupName MyResourceGroup -Name MyVM -Location eastus -Image UbuntuLTS -Credential (Get-Credential)`. PowerShell cmdlets use noun-verb naming (e.g., New-AzVm). The `-Credential` parameter prompts for username and password. PowerShell returns .NET objects, which you can pipe to `Out-GridView` for a GUI table.
Scenario 1: DevOps CI/CD Pipeline
A software company uses Azure DevOps to deploy a web app every time code is pushed to GitHub. The deployment script uses Azure CLI to create a resource group, App Service plan, and web app, then deploys the code via az webapp deployment source config-zip. The CLI commands are embedded in a YAML pipeline. The team chose CLI over PowerShell because the build agents are Linux-based. They use az login --service-principal for non-interactive authentication. Cost is minimal—only the App Service plan is billed. A common mistake is forgetting to set the --sku parameter, leading to a higher-tier plan than needed. If the script fails due to a typo, the entire pipeline fails, requiring manual cleanup. To mitigate, they use --only-show-errors and idempotent commands (e.g., az group create --exists-ok).
Scenario 2: IT Operations Monitoring
A large enterprise's IT team uses the Azure Portal daily to monitor resource health, review cost reports, and troubleshoot incidents. They rely on the portal's dashboards to visualize metrics like CPU usage and error rates. For example, when a VM goes down, they navigate to the VM's blade, check 'Metrics' for CPU spikes, and review 'Boot diagnostics' screenshots. The portal's rich GUI allows them to quickly drill down without scripting. However, when they need to restart 50 VMs after a patch, they use a PowerShell script: Get-AzVM -ResourceGroupName Prod | Restart-AzVM. This avoids clicking 50 times. The team uses Azure RBAC to grant read-only access to junior staff via the portal, while senior engineers have contributor rights. A common pitfall is that junior staff might accidentally delete resources if not properly restricted. They use Azure Policy to prevent deletion of critical resources.
Scenario 3: Cloud Migration
A startup migrating from on-premises to Azure uses ARM templates (JSON) to define their entire infrastructure as code. They deploy templates using both CLI and PowerShell interchangeably. For example, they run az deployment group create --resource-group MyRG --template-file template.json to create a VNet, subnets, and VMs. This ensures repeatability and version control. They also use Azure CLI to export existing resources: az resource list --resource-group MyRG --export-template > template.json. This helps them document their environment. Cost considerations: they use Azure Pricing Calculator to estimate costs before deployment. A common error is hardcoding secrets in templates; they use Azure Key Vault references instead. If a deployment fails due to a quota limit, they see an error message and must request a quota increase via the portal.
Objective Code and What AZ-900 Tests This chapter aligns with objective 3.4: 'Describe the Azure Portal, Azure CLI, and Azure PowerShell'. The exam expects you to:
Identify the purpose of each tool
Choose the appropriate tool for a given scenario
Recognize that all tools use ARM API
Know that tools are free (only resources are billed)
Understand that Azure Cloud Shell provides CLI and PowerShell in-browser
Common Wrong Answers and Why Candidates Choose Them 1. 'PowerShell is only for Windows' – Many candidates think PowerShell is Windows-only because of its history. Reality: Azure PowerShell (Az module) works on macOS and Linux via PowerShell Core (pwsh). 2. 'CLI is faster than Portal' – While CLI can be faster for bulk operations, the exam focuses on use cases, not speed. The correct distinction is automation vs. visual. 3. 'You need to install CLI to use it' – Azure Cloud Shell provides CLI and PowerShell without installation. Many forget this. 4. 'Portal is best for automation' – No, the portal is for manual, one-off tasks. Automation uses CLI/PowerShell or ARM templates.
Specific Terms and Values
- ARM (Azure Resource Manager) is the underlying API.
- az is the CLI command prefix.
- Connect-AzAccount and Login-AzAccount (older) – know the current cmdlet Connect-AzAccount.
- Azure Cloud Shell is accessible from the portal and supports both Bash (CLI) and PowerShell.
- Cloud Shell has a 5GB file storage limit (home directory).
Edge Cases and Tricky Distinctions
- Cloud Shell vs. local installation: Cloud Shell is pre-authenticated and temporary (session times out after 20 minutes of inactivity). Local installations persist and can be used offline.
- PowerShell vs. CLI syntax: CLI uses az vm create, PowerShell uses New-AzVm. The exam may show a snippet and ask which tool produced it.
- ARM templates: Can be deployed via any tool, but the exam treats them as a separate concept (infrastructure as code).
Memory Trick Use the 'CAP' acronym: - CLI = Command line (text-based, cross-platform, scriptable) - Azure Portal = Administrative GUI (visual, learning, one-off) - PowerShell = PowerShell (Windows-centric, object-oriented, complex logic)
Decision Tree for Exam Questions If the question mentions: - 'Visual dashboard' → Portal - 'Script for automation' → CLI or PowerShell (check context: Linux → CLI, Windows → PowerShell) - 'Cross-platform automation' → CLI - 'Complex logic like loops' → PowerShell - 'Quick one-time task' → Portal - 'In-browser' → Cloud Shell (which offers both CLI and PowerShell)
The Azure Portal, CLI, and PowerShell all use the same Azure Resource Manager (ARM) API underneath.
Azure CLI uses the 'az' command prefix; Azure PowerShell uses cmdlets like 'New-AzResourceGroup'.
All three tools are free to use; you only pay for the Azure resources you create.
Azure Cloud Shell provides browser-based access to both CLI and PowerShell without local installation.
The Portal is best for visual, one-off tasks; CLI and PowerShell are best for automation and scripting.
Azure CLI is cross-platform and outputs JSON; Azure PowerShell outputs .NET objects and is ideal for complex logic.
For exam questions, choose CLI for cross-platform automation and PowerShell for Windows-focused or complex scripting scenarios.
These come up on the exam all the time. Here's how to tell them apart.
Azure Portal
Graphical web interface
Best for one-off visual tasks
Requires browser and internet
Slower for bulk operations
Output is visual (tiles, charts)
Azure CLI
Command-line interface
Best for automation and scripting
Works offline after login
Fast for bulk operations
Output is JSON (text)
Azure CLI
Uses 'az' command prefix
Cross-platform (Linux, macOS, Windows)
Outputs JSON by default
Ideal for Linux-based automation
Lightweight installation
Azure PowerShell
Uses cmdlets (e.g., New-AzVm)
Cross-platform via PowerShell Core
Outputs .NET objects
Ideal for Windows-centric environments
Requires PowerShell module installation
Mistake
Azure CLI and Azure PowerShell are the same thing with different syntax.
Correct
They are separate tools with different command structures (az vs. cmdlets), output formats (JSON vs. .NET objects), and target users. CLI is cross-platform and lightweight; PowerShell is object-oriented and integrates with Windows ecosystems. Both can automate tasks but are not interchangeable in syntax.
Mistake
You must install Azure CLI or PowerShell on your local machine to use them.
Correct
Azure Cloud Shell provides a browser-based terminal with both CLI and PowerShell pre-installed and pre-authenticated. You can access it from the Azure Portal. It's ideal for quick tasks without installation.
Mistake
The Azure Portal is the best tool for automating repetitive tasks.
Correct
The portal is designed for manual, visual management. Automating repetitive tasks is better done with CLI, PowerShell, or ARM templates. Using the portal for bulk operations is inefficient and error-prone.
Mistake
PowerShell only works on Windows operating systems.
Correct
Azure PowerShell (Az module) runs on PowerShell Core, which is cross-platform (Windows, macOS, Linux). The older AzureRM module was Windows-only, but Az is the current standard and works everywhere.
Mistake
Using Azure CLI or PowerShell incurs additional costs beyond resource usage.
Correct
Both tools are free. Azure does not charge for management operations. You only pay for the resources you create (e.g., VMs, storage). There are no transaction fees for using CLI or PowerShell.
Azure CLI is a cross-platform command-line tool using 'az' commands that output JSON. Azure PowerShell is a module for PowerShell using cmdlets like 'New-AzVm' that output .NET objects. Both automate Azure management, but CLI is lighter and more Linux-friendly, while PowerShell integrates better with Windows ecosystems and complex scripting. For AZ-900, know that both are free and use the same ARM API.
You can install Azure CLI locally, but you can also use Azure Cloud Shell (accessible from the Azure Portal) which has CLI pre-installed and pre-authenticated. Cloud Shell is a temporary environment with a 5GB home directory. For exam purposes, remember that Cloud Shell provides both CLI and PowerShell without installation.
Yes, Azure PowerShell (Az module) runs on PowerShell Core, which is cross-platform. You can install it on macOS via Homebrew or direct download. The cmdlets are the same across platforms. For AZ-900, remember that Azure PowerShell is not Windows-only.
Azure CLI is typically the best choice for Linux-based CI/CD pipelines because it is lightweight, cross-platform, and easily scriptable in Bash. It integrates well with tools like Jenkins, Azure DevOps (Linux agents), and GitHub Actions. PowerShell can also be used on Linux, but CLI is more common. For AZ-900, associate CLI with cross-platform automation.
No, the Azure Portal is free to use. You only pay for the Azure resources you create and manage through the portal. The portal itself does not incur any charges. This applies to CLI and PowerShell as well.
Azure Cloud Shell is an interactive, browser-accessible shell for managing Azure resources. It provides both Bash (with Azure CLI) and PowerShell environments. It is pre-authenticated and includes common tools like git, kubectl, and terraform. Cloud Shell is ideal for quick tasks without local setup. It has a 20-minute idle timeout and a 5GB file storage limit. For AZ-900, know that Cloud Shell offers both CLI and PowerShell.
Yes, both CLI and PowerShell can deploy ARM templates. For CLI, use `az deployment group create --template-file template.json`. For PowerShell, use `New-AzResourceGroupDeployment -TemplateFile template.json`. ARM templates define infrastructure as code and can be version-controlled. The exam may test that all three tools can deploy templates.
You've just covered Azure Portal, CLI, and PowerShell — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?