az rest: Call Azure REST APIs Directly
az rest sends an authenticated HTTP request to an Azure REST endpoint using your current login token.
When no purpose-built command exists, az rest reaches the underlying API with the token you already have, so you avoid building auth headers by hand.
What it does
az rest issues an HTTP request to an Azure (ARM or Graph) REST endpoint, automatically attaching a bearer token for the right resource. You supply --method, --url, and optionally --body; it returns the JSON response for --query to filter.
Common usage
# ARM: list a provider not yet wrapped by a command
az rest --method get \
--url "https://management.azure.com/subscriptions/<sub>/providers/Microsoft.Web/sites?api-version=2023-12-01" \
--query "value[].name" -o tsv
# Microsoft Graph call
az rest --method get \
--url "https://graph.microsoft.com/v1.0/me" \
--resource "https://graph.microsoft.com"Subcommands and flags
| Flag | What it does |
|---|---|
| --method, -m | HTTP method: get, post, put, patch, delete |
| --url, -u | Full request URL incl. api-version |
| --body, -b | JSON request body for writes |
| --resource | Token audience (e.g. Graph) when not ARM |
| --headers | Extra request headers |
In CI
az rest reuses the federated login token, so OIDC auth flows straight through with no extra setup. Always include the api-version query parameter on ARM URLs. For Graph calls pass --resource https://graph.microsoft.com so the right audience token is used.
Common errors in CI
"(InvalidApiVersionParameter) The api-version ... is invalid" or a missing api-version means you omitted or mistyped the parameter. A 403 from Graph means the identity lacks the Graph permission. "Authentication failed" means the resource audience does not match the endpoint; set --resource. A 401 generally means the login token expired or was never obtained.