Azure Management Tools: Portal, CLI, PowerShell, and Cloud Shell

Quick Answer: Azure Portal = web GUI. Azure CLI = cross-platform az commands. Azure PowerShell = verb-noun Az cmdlets. Cloud Shell = browser shell (Bash or PowerShell) needing a storage account. ARM templates / Bicep = declarative infrastructure as code. Everything routes through Azure Resource Manager (ARM).

Azure Portal

The Azure Portal at portal.azure.com is a unified, web-based graphical console. It is ideal for visual management, learning, dashboards, and one-off tasks. You can pin tiles to customizable dashboards, launch resource-creation wizards, run cost analysis, and manage RBAC assignments. Because it is point-and-click, it is the slowest tool for doing the same operation hundreds of times — that is what the command-line and code tools are for.

Azure CLI

Azure CLI is a cross-platform tool (Windows, macOS, Linux) using a bash-friendly syntax. Pattern: az [group] [subgroup] [command] [--parameters].

az group create --name MyRG --location eastus
az vm create --name MyVM --resource-group MyRG --image Ubuntu2204
az vm list --output table

It is the natural choice for shell scripting and Linux-centric DevOps pipelines.

Azure PowerShell

Azure PowerShell is the Az module of cmdlets in PowerShell's verb-noun format. Pattern: Verb-AzNoun -Parameters.

New-AzResourceGroup -Name MyRG -Location eastus
New-AzVM -Name MyVM -ResourceGroupName MyRG
Get-AzVM | Format-Table

It shines for Windows administrators and for piping objects between cmdlets in richer automation. CLI and PowerShell are functionally equivalent — choose by team skill set, not capability.

Azure Cloud Shell

Cloud Shell is a browser-based shell you reach from the portal, shell.azure.com, VS Code, or the Mobile App.

The most-tested fact: on first use Cloud Shell prompts you to create a storage account because it needs an Azure Files share to persist scripts and files between sessions.

Azure Mobile App and SDKs

The Azure Mobile App (iOS/Android) monitors resource health, surfaces alerts, and can run commands through Cloud Shell. For programmatic access, the Azure REST API and language SDKs (.NET, Java, Python, JavaScript, Go) let applications manage resources directly.

Infrastructure as code: ARM templates and Bicep

For repeatable, reviewable deployments Azure offers declarative infrastructure as code:

• ARM templates are JSON files describing the desired resources. Deployments are idempotent — running the same template twice converges to the same state rather than duplicating resources.
• Bicep is a cleaner domain-specific language that transpiles to ARM JSON. It is easier to read and write and is Microsoft's recommended authoring experience.

Everything goes through Azure Resource Manager

Why ARM is the single control plane

Azure Resource Manager (ARM) is the deployment and management layer that sits between every tool and the actual Azure services. When you click Create in the portal, run az vm create, or deploy a Bicep file, the request lands on the same ARM endpoint. ARM then does four jobs in order:

1. Authenticate the caller against Microsoft Entra ID (the identity behind your sign-in).
2. Authorize the action using role-based access control (RBAC) — does this identity hold a role that permits this operation on this scope?
3. Enforce governance by evaluating any Azure Policy rules (for example, blocking resources outside approved regions).
4. Route the request to the correct resource provider (such as Microsoft.Compute for VMs) to carry it out.

Because everything funnels through ARM, your RBAC and Policy guardrails apply uniformly no matter which tool a user picks — a developer cannot bypass a policy by switching from the portal to the CLI. ARM also groups resources into resource groups and lets you deploy, tag, lock, and delete them as a unit, and it makes deployments idempotent so re-running a template converges to the desired state instead of duplicating resources.

Choosing the right tool

On the Exam: All management tools send requests to Azure Resource Manager (ARM) — the single control plane that authenticates the caller, authorizes via RBAC, applies Azure Policy, and routes to the resource provider. "Verb-noun like Get-AzVM" = PowerShell. "az group create" = CLI. "Cloud Shell needs what?" = a storage account. "Repeatable declarative deployment" = ARM template or Bicep.