A structured collection of PowerShell, Python, Bicep, T-SQL, and Bash tools for working with Microsoft Azure — organised into focused project folders covering VM inventory, security, identity, tag governance, database migration, endpoint management, infrastructure-as-code, and more.
| # | Folder | Language | Category | Summary |
|---|---|---|---|---|
| 1 | AirTrack Connect and Inventory | PowerShell | VM Inventory | Connect via SPN and export full VM config to CSV |
| 2 | Azure Dashboard | JSON | Monitoring | Azure Portal dashboard templates with VM metrics |
| 3 | Azure Identity-Agent Framework | Bash | AI / Lab Prep | VM prep script for Azure AI-102 agent labs |
| 4 | Azure PowerShell | PowerShell | Module Management | Download and uninstall Azure PowerShell modules |
| 5 | Azure Resource Inventory | PowerShell | Governance | Full tenant resource inventory exported to Excel |
| 6 | Azure TAGs | PowerShell | Governance | Export VM and Resource Group tags to CSV with email report |
| 7 | AzureARC Agent | PowerShell | Hybrid Cloud | Arc agent offline install, onboarding, and credential tooling |
| 8 | AzureLogin PythonScript | Python | Authentication | CLI-based Azure login using .env tenant ID |
| 9 | Citrix ADC Prod | JSON | VDI / Networking | ARM deployment parameters for Citrix NetScaler VPX in Azure |
| 10 | Citrix | Bicep | Infrastructure as Code | Modular Bicep deployment: VNet, NSG, and VM for Citrix |
| 11 | Encrypt-Decrypt Base64 | PowerShell | Security | Base64 encode/decode utility for embedding credentials in scripts |
| 12 | Key Vault Secret Expiry Query | KQL | Security | KQL query to report secrets/keys/certs nearing expiry |
| 13 | Python SQL | Python / Jupyter | Database | Connect, query, load CSV, and migrate MySQL → MS SQL Server |
| 14 | Resource Group Clone | PowerShell | Automation | Clone an entire Azure Resource Group to a new one |
| 15 | SQL MI Connect | PowerShell | Database | Connect to SQL Managed Instance using a Key Vault password |
| 16 | SQL Databases | T-SQL | Database | Sample MySQL and SQL Server database schemas |
| 17 | TANIUM | PowerShell / Bash | Endpoint Management | Bulk deploy Tanium client to Azure VMs via extension |
Language: PowerShell | Files: Connect.ps1, get-azvmconfig.ps1
Two scripts that work together: authenticate to Azure using a Service Principal, then export a comprehensive inventory of all Azure VMs across all subscriptions into a single CSV file.
Connect.ps1 — Authenticates to Azure using a Service Principal (Application ID + secure password). Provides a reusable connection block for automation scripts that can't use interactive login.
get-azvmconfig.ps1 — Iterates every accessible subscription and collects deep VM details including:
- Power state, OS type, OS name/version, Hyper-V generation
- VM size, image publisher/offer/SKU/version
- OS disk name, size, and storage account type; data disk count
- VM Agent version and status; installed extensions list
- Availability zone
- 18 custom tag fields (ApplicationName, BusinessUnit, Env, Criticality, PatchCycle, OpsTeam, and more)
Output is saved as vms.csv in the working directory.
# Run the inventory
.\get-azvmconfig.ps1
# Output: .\vms.csvPrerequisites: Az PowerShell module, Reader access across target subscriptions.
Language: JSON | Files: SapiensTSD.json, SapiensTSD preview.json
Ready-to-import Azure Portal Dashboard templates for VM monitoring. The dashboard is built around Azure Monitor Workbooks and surfaces:
- CPU utilisation across all VMs — heatmap view grouped by subscription
- At-scale VM metrics using the community
Virtual Machines/At-scale Metricsworkbook - Configurable time range and VM scope parameters
How to import:
- In the Azure Portal, go to Dashboard → Upload
- Select
SapiensTSD.json - The dashboard will load with your subscriptions' VM data
SapiensTSD preview.jsonis a draft/preview version of the same dashboard for staging changes before deploying to production.
Language: Bash | File: ai102prep.sh
A VM preparation script for running Microsoft's Azure AI-102 (AI Agents) lab exercises. Designed for a fresh Ubuntu VM, it installs all required dependencies and clones the official Microsoft Learn lab repository.
What it installs:
- Python 3, pip, and
python3-venv - A Python virtual environment (
labenv) - Azure CLI (via Microsoft's official installer)
azure-identity,agent-framework,python-dotenv,openai(inside the venv)
What it clones:
https://github.com/MicrosoftLearning/mslearn-ai-agents→ navigates toLabfiles/05-agent-orchestration/Python
chmod +x ai102prep.sh
./ai102prep.shLanguage: PowerShell | Files: Online_Download_AzurePowerShell.ps1, Remove_AzurePowerShell.ps1
Two utility scripts for managing the Az PowerShell module itself.
Online_Download_AzurePowerShell.ps1 — Fetches the latest Az PowerShell release from GitHub automatically, downloads it as a .tar.gz archive to ~/Downloads, and unblocks it for Windows. Useful for staging the module on an internet-connected machine before copying to an air-gapped environment.
.\Online_Download_AzurePowerShell.ps1
# Downloads: Az-x.x.x-x.tar.gz to ~/DownloadsRemove_AzurePowerShell.ps1 — Completely removes all installed Az* modules using a parallel PowerShell workflow. Runs the uninstall twice to ensure all versions are removed — handles edge cases where the first pass misses locked modules.
.\Remove_AzurePowerShell.ps1Language: PowerShell | File: AzureResourceInventory.ps1 (v3.1.18)
A comprehensive tenant-wide Azure Resource Inventory report generator. Queries every resource type across all subscriptions in a tenant and exports results to a formatted Excel workbook with charts.
Key parameters:
| Parameter | Description |
|---|---|
-TenantID |
Target tenant (required for MFA tenants) |
-SubscriptionID |
Scope to a single subscription |
-ManagementGroup |
Scope to a Management Group |
-SecurityCenter |
Include Microsoft Defender advisories |
-IncludeTags |
Include all resource tags in the report |
-SkipAdvisory |
Skip Azure Advisor recommendations |
-Lite |
Skip Excel chart generation (faster) |
# Full tenant inventory
.\AzureResourceInventory.ps1 -TenantID <tenant-id>
# Single subscription with tags and security data
.\AzureResourceInventory.ps1 -TenantID <tenant-id> -SubscriptionID <sub-id> -IncludeTags -SecurityCenterPrerequisites: Az PowerShell module, ImportExcel module, Reader access on target scope.
Language: PowerShell | Files: Get-Tags.ps1, Get_RG_Tags.ps1
Scripts to export Azure resource tags to CSV across all subscriptions, with automated email delivery.
Get-Tags.ps1 — The primary, production-grade tag reporting script. Authenticates via certificate-based Service Principal (no password), then:
- Exports all Resource Group tags →
ResourceGroupTags_<timestamp>.csv - Exports all VM tags →
VMTags_<timestamp>.csv - Sends both CSVs as email attachments via SMTP to a distribution list
- Handles dynamic tag columns — if a new tag is added to any resource, it automatically appears as a new column
- Wraps
OperationalPeriodtag values in quotes to preserve comma-separated time ranges in CSV
.\Get-Tags.ps1
# Outputs: CSV reports + email notificationGet_RG_Tags.ps1 — A simpler, earlier version that exports Resource Group and individual resource tags per subscription as separate per-subscription CSV files.
Prerequisites: Certificate installed in Cert:\LocalMachine, Service Principal with Reader role, SMTP relay access.
Language: PowerShell | Files: 12 scripts
The largest folder in the repo — a full suite of scripts for Azure Arc Connected Machine agent deployment, onboarding, and credential management.
| File | Purpose |
|---|---|
AzCM_OfflineInstall v2.ps1 |
Silent MSI install of Arc agent from a local file; adds azcmagent.exe to system PATH |
AzCM_OfflineInstall.ps1 |
Earlier version of the offline installer |
AddPathAzCM.ps1 |
Adds the Arc agent to the Windows system PATH |
OnboardingScript_CORP_Citrix.ps1 |
Onboards CORP Citrix machines to Azure Arc using an encoded Base64 SPN credential; auto-elevates to Administrator |
OnboardingScript_TEST_Citrix.ps1 |
Same for TEST environment |
OnboardingScript_TEST_Citrix_SPN.ps1 |
SPN variant with explicit credential injection |
OnboardingScript_(7)_TEST.ps1 |
Iteration 7 of the TEST onboarding script |
Offline_Install_AzurePowerShell.ps1 |
Installs Az PowerShell module on air-gapped machines |
Encrypt_Decrypt.ps1 |
Encrypts/decrypts secrets using Windows DPAPI (ConvertTo-SecureString / ConvertFrom-SecureString) for secure storage in scripts |
Encrypt_Decrypt_2.ps1 |
Alternative encryption utility |
Encode-Decode-Base64.ps1 |
Base64 encode/decode for embedding SPN passwords in onboarding scripts |
Encode-Decode-Base64 - PWD.ps1 |
Password-specific variant |
Decrypt.ps1 |
Standalone decrypt helper |
encrypt.ps1 |
Standalone encrypt helper |
msiinstall.ps1 |
Generic quiet MSI installer template |
testazure.ps1 |
Connectivity test script |
fileA.txt / fileB.txt |
Supporting reference files |
Offline install workflow:
# 1. Copy AzureConnectedMachineAgent.msi to C:\install\
# 2. Run the installer
.\AzCM_OfflineInstall v2.ps1
# 3. Onboard the machine to Arc (CORP environment)
.\OnboardingScript_CORP_Citrix.ps1Prerequisites: Local administrator rights, MSI file pre-staged at C:\install\, Service Principal with Azure Connected Machine Onboarding role.
Language: Python | File: azurelogin.py
A minimal Python snippet for authenticating to Azure CLI using a tenant ID stored in a .env file — keeps credentials out of source code and makes the login step reusable across any Python automation project.
pip install python-dotenv# .env file
AZURE_TENANT_ID=your-tenant-id-herepython azurelogin.py
# Runs: az login --tenant <AZURE_TENANT_ID>Language: JSON (ARM Parameters) | Files: citrix_adc_azure_avz.json, parameters_avz.json
ARM deployment files for provisioning a Citrix NetScaler VPX (production ADC appliance) in Azure with Availability Zones.
parameters_avz.json — Deployment parameters for a production Citrix ADC:
- Region:
australiaeast - Appliance: NetScaler VPX 13.0 (
netscalervpx-130), BYOL licensing - VM:
Standard_DS3_v2, Premium SSD OS disk - VM Name:
CTXPRDVPX10 - Resource Group:
RG-SYD-PROD-CITRIX - VNet:
VN-SYD-PROD-CTX-01 - Accelerated networking enabled on all 3 NICs (Management, Client, Server)
- Storage account:
sasydprdctxdiag001
citrix_adc_azure_avz.json — The full ARM template driving the deployment.
Language: Bicep | Files: main.bicep, keyVaultSecrets.bicep, modules/virtualMachine.bicep, modules/virtualNetwork.bicep, modules/networkSecurityGroup.bicep
A modular Bicep IaC deployment for provisioning the full Citrix virtual desktop infrastructure in Azure. Separated into reusable modules following Azure best practices.
Architecture deployed:
main.bicep
├── modules/virtualNetwork.bicep → VNet + 3 subnets (Management, VIP, SNIP)
├── modules/networkSecurityGroup.bicep → NSG attached to VNet
└── modules/virtualMachine.bicep → Citrix VM (Standard_DS3_v2, Premium SSD, Availability Zones)
└── keyVaultSecrets.bicep → Retrieves admin password from Key Vault
Naming convention: VMs are named CTX<env><app><zone><number> (e.g. CTXPRDWEB101).
Network layout (australiaeast):
| Subnet | Purpose | CIDR |
|---|---|---|
SN-<env>-CTX-MGT-01 |
Management | 10.32.26.0/24 |
SN-<env>-CTX-VIP-01 |
Virtual IP (client-facing) | 10.32.24.0/23 |
SN-<env>-CTX-SNIP-01 |
Subnet IP (server-facing) | 10.32.27.0/24 |
# Deploy to Azure
az deployment group create \
--resource-group <your-rg> \
--template-file main.bicep \
--parameters environment=PROD application=WEB availabilityZone=1 vmNumber=1Language: PowerShell | Files: PWD_Encrypt-Decrypt.ps1, PWD_Encrypt-Decrypt.txt
A simple, well-commented PowerShell utility for Base64 encoding and decoding credentials — the pattern used throughout the AzureARC Agent onboarding scripts to embed Service Principal passwords without storing them in plaintext.
How it works:
# Encrypt: convert plain text → Base64
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($SecureKey)
$EncryptedText = [Convert]::ToBase64String($Bytes)
# Decrypt: convert Base64 → plain text
$DecryptedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncryptedText))Note: Base64 is encoding, not encryption — it obfuscates credentials in scripts but is not a substitute for proper secrets management. Use Azure Key Vault for production workloads.
Language: KQL (Kusto Query Language) | Files: KQL Query KV_Secret_Expiry.txt, KQL Query KV_Secret_Expiry (1).txt, sample data CSVs/XLSX
KQL queries for Azure Monitor / Log Analytics that surface Azure Key Vault secrets, keys, and certificates that have expired or will expire within 30 days.
How the query works:
let lookback = 30d;
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where OperationName matches regex @"(Secret|Key|Certificate)(NearExpiry|Expired)EventGridNotification"
| extend VaultName, ObjectName, ObjType, ExpireUtc, DaysUntilExp
| extend Status = iff(DaysUntilExp <= 0, "Expired", "NearExpiry(≤30d)")
| project TimeGenerated, VaultName, ObjType, ObjectName, ExpireUtc, DaysUntilExp, Status
| order by ExpireUtc ascOutput columns: VaultName, ObjectType (Secret/Key/Certificate), ObjectName, ExpiryDate (UTC), DaysUntilExpiry, Status (Expired / NearExpiry).
Sample query results are included as KV_SecretExpiry_30d_query_data.xlsx and KV_SecretExpiry_45d_query_data.csv for reference and testing.
Usage: Run in Azure Monitor → Logs or Log Analytics Workspace against a workspace that has Key Vault diagnostic settings enabled.
Language: Python / Jupyter Notebook | Files: 9 notebooks, SQL scripts, CSV datasets
A comprehensive set of Jupyter notebooks for connecting to, querying, loading data into, and migrating databases between MySQL and Microsoft SQL Server — including Azure SQL Database.
| Notebook | What it does |
|---|---|
Connect_SQLServer.ipynb |
Connect to MS SQL Server via SQLAlchemy + pyodbc; run queries with pandas and %sql magic |
Connect_MySQL.ipynb |
Connect to MySQL and run queries |
Load_CSV_to_MSSQLServer.ipynb |
Read an Excel file (via python_calamine) and bulk-load it into Azure SQL Database |
Python Code for DB Migration to MS SQL Server.ipynb |
Full MySQL → MS SQL Server table-by-table migration using pandas |
Python Code for DB Migration to CSV.ipynb |
Export every table from a database to individual CSV files |
Migrate DB from MySQL2022 to MS-SQLServer2022- coffee.ipynb |
Migrate the coffee sample database |
Migrate DB from MySQL2022 to MS-SQLServer2022- sakila.ipynb |
Migrate the sakila sample database |
Migrate DB from MySQL2022 to MS-SQLServer2022- world.ipynb |
Migrate the world sample database |
/assignment/ — A complete certification exam database (assmt) with 10 tables and CSV seed data: users, certifications, exam centres, question banks, registrations, and results.
/world/ — The classic MySQL world database (countries, cities, languages) exported as CSVs.
pip install pandas sqlalchemy pyodbc pymysql python-calamine openpyxl prettytable python-dotenvPrerequisites: ODBC Driver 17 or 18 for SQL Server installed on the host.
Language: PowerShell | File: Clone-AzureRMresourceGroup.ps1
Clones an existing Azure Resource Group — copying all ARM resource configurations, virtual machines, managed disks, virtual networks, load balancers, public IPs, and storage accounts into a brand new resource group.
Handles uniqueness requirements automatically:
- Storage accounts get an 8-character GUID appended to avoid naming conflicts
- Public IP DNS labels get
newappended
# Clone in the same region
.\Clone-AzureRMresourceGroup.ps1 -ResourceGroupName 'PROD-RG' -NewResourceGroupName 'STAGING-RG'
# Clone to a different region
.\Clone-AzureRMresourceGroup.ps1 -ResourceGroupName 'PROD-RG' -NewResourceGroupName 'DR-RG' -NewLocation 'australiasoutheast'
# Clone to Azure Government
.\Clone-AzureRMresourceGroup.ps1 -ResourceGroupName 'PROD-RG' -NewResourceGroupName 'GOV-RG' -Environment 'AzureUSGovernment'Prerequisites: AzureRM module v6.7+, Contributor role on the subscription.
Language: PowerShell | File: SamplePowerShell with Password in KeyVault to connect to SQLMI.txt
A production-safe PowerShell pattern for connecting to Azure SQL Managed Instance — retrieving the SQL password securely from Azure Key Vault rather than hardcoding it.
How it works:
- Authenticates to Azure (
Connect-AzAccount) - Retrieves the SQL password as a
SecureStringfrom Key Vault (Get-AzKeyVaultSecret) - Decrypts it in memory for the connection string only
- Opens a
System.Data.SqlClientconnection withEncrypt=True - Runs a sample query (
SELECT TOP 5 name FROM sys.tables) - Closes and cleans up the connection
# Configure these variables before running
$KeyVaultName = "YourKeyVaultName"
$SecretName = "YourSqlPasswordSecret"
$SqlServer = "your-sqlmi.yourdomain.database.windows.net"
$Database = "YourDatabase"
$Username = "your-sql-username"Prerequisites: Az PowerShell module, Key Vault Secrets User role, network connectivity to SQL MI (private endpoint or VPN).
Language: T-SQL / MySQL SQL | Files: assmt.sql, sakila.sql
Two sample database schemas used in the Python SQL notebooks for migration and testing.
assmt.sql — A certification exam management database (MySQL dump, 9 tables):
assmt_user,certification,cert_exam,exam_centerexam_regn,exam_result,exam_result_dtls,question_bank,question_options,question_paper
sakila.sql — The classic Sakila sample database adapted for MS SQL Server (using IDENTITY, GO, and DATETIME instead of MySQL equivalents). Includes the actor table and associated indexes as a starting point for the full schema.
Language: PowerShell / Bash | Files: Install-TaniumClient.ps1, TaniumExtension_WinVMs.sh, vm-list.csv, Install-TaniumClient.txt
Scripts to bulk-deploy the Tanium Client Windows extension to Azure VMs at scale using the Azure VM Extension framework — deployable from either PowerShell (Windows / Cloud Shell) or Bash (Linux / Cloud Shell).
How it works:
- Reads a CSV file (
vm-list.csv) containing VM names and resource groups - Reads and Base64-encodes
tanium-init.dat(the Tanium configuration file) - For each VM, calls
az vm extension setto installTaniumClientWindowspublished byTanium.Client - Reports success or failure per VM
vm-list.csv format:
VMName,ResourceGroup
MyVM01,RG-PROD-SERVERS
MyVM02,RG-PROD-SERVERSPowerShell (PS7 / Cloud Shell):
# Edit vm-list.csv and place tanium-init.dat in the same folder
.\Install-TaniumClient.ps1Bash (Linux / Cloud Shell):
chmod +x TaniumExtension_WinVMs.sh
./TaniumExtension_WinVMs.shPrerequisites: Azure CLI authenticated, tanium-init.dat provided by your Tanium administrator, Contributor role on target VMs.
git clone https://github.com/HashimsGitHub/Azure-Toolkit.git
cd Azure-ToolkitNavigate into the folder for the tool you need — each folder is self-contained.
PowerShell scripts — run as Administrator:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
Connect-AzAccount
.\script-name.ps1Python / Jupyter tools:
pip install azure-identity pandas sqlalchemy pyodbc pymysql python-dotenv openpyxl
jupyter notebookBicep deployments:
az login
az deployment group create --resource-group <rg> --template-file main.bicep --parameters <params>| Requirement | Used By |
|---|---|
| Az PowerShell module | AirTrack, Azure TAGs, Resource Inventory, AzureARC, Resource Group Clone, SQL MI Connect |
| Python 3.8+ | AzureLogin, Python SQL notebooks |
| Azure CLI | AzureLogin, TANIUM, Bicep deployments, Identity-Agent |
| Jupyter Notebook | All Python SQL notebooks |
| ODBC Driver 17/18 for SQL Server | Python SQL (SQL Server connections) |
pandas, sqlalchemy, pyodbc |
Python SQL notebooks |
python-dotenv |
AzureLogin |
ImportExcel PowerShell module |
Azure Resource Inventory |
| SMTP relay access | Azure TAGs email notification |
| Key Vault Secrets User role | SQL MI Connect, Citrix Bicep |
| Contributor role on subscription | Resource Group Clone, TANIUM, AzureARC |
| Local Administrator rights | AzureARC Agent installation |
Tanium init.dat file |
TANIUM deployment |
MIT — use freely, adapt as needed.