Skip to main content

cnspec shell azure

Connect to a Microsoft Azure subscription or virtual machines.


Connect to a Microsoft Azure subscriptions or virtual machines. This uses your local Azure configuration for the account scan. To connect to Azure virtual machines, you must configure your Azure credentials and have SSH access to the virtual machines.

cnspec shell azure [flags]


      --ask-pass                         Prompt for connection password.
--certificate-path string Path (in PKCS #12/PFX or PEM format) to the authentication certificate.
--certificate-secret string Passphrase for the authentication certificate file.
--client-id string Application (client) ID of the service principal.
--client-secret string Secret for application.
-c, --command string MQL query to execute in the shell.
--discover string Enable the discovery of nested assets. Supported: 'all|auto|instances|host-instances|host-machines|container|container-images|pods|cronjobs|statefulsets|deployments|jobs|replicasets|daemonsets' (default "auto")
--discover-filter stringToString Additional filter for asset discovery. (default [])
-h, --help help for azure
--host-machines Also scan host machines like ESXi server.
-i, --identity-file string Select a file from which to read the identity (private key) for public key authentication.
--insecure Disable TLS/SSL checks or SSH hostkey config.
--instances Also scan instances. This only applies to API targets like AWS, Azure, or GCP.
--option --option key=value Additional connection options. You can pass multiple options using --option key=value. (default [])
-p, --password string Set the connection password, such as for SSH/WinRM.
--path string Path to a local file or directory for the connection to use.
--platform-id string Select a specific target asset by providing its platform ID.
--subscription string ID of the Azure subscription to scan.
--subscriptions string Comma-separated list of Azure subscriptions to include.
--subscriptions-exclude string Comma-separated list of Azure subscriptions to exclude.
--sudo Elevate privileges with sudo.
--tenant-id string Directory (tenant) ID of the service principal.

Options inherited from parent commands

      --api-proxy string   Set proxy for communications with Mondoo API
--config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
--log-level string Set log level: error, warn, info, debug, trace (default "info")
-v, --verbose Enable verbose output