How do I use Claude Code with Microsoft Azure?

Create a CLAUDE.md at your repo root describing your Azure subscription structure (subscription IDs per environment), resource group naming convention, IaC tooling (Bicep, Terraform, or ARM), and managed identity patterns (system-assigned vs user-assigned). Claude Code will generate Azure CLI commands and Bicep/Terraform resources consistent with your existing patterns and never hardcode subscription IDs, connection strings, or credentials.

Can Claude Code write Bicep templates?

Yes. Tell Claude the Azure resources needed (App Service, Azure Functions, Azure SQL, Storage, Key Vault, etc.), the target environment (dev/staging/prod), and your naming convention. Claude generates well-structured Bicep modules using @description decorators, parameter files (main.bicepparam), and condition expressions for environment-specific config. It avoids deprecated ARM functions and uses Bicep-idiomatic syntax (existing resource references, module composition).

How do I write Azure Functions with Claude Code?

Tell Claude the trigger type (HTTP, Timer, Service Bus, Event Hub, Blob Storage, Cosmos DB), the runtime (C# isolated worker, Python 3.11, Node.js 22), and the function's purpose. Claude generates idiomatic Azure Functions v4 code using the isolated process model (not in-process for .NET), with proper binding attributes, structured logging via ILogger, and the host.json + local.settings.json configuration. It also generates the Bicep resource for the Function App.

Can Claude Code help with AKS (Azure Kubernetes Service)?

Yes. Claude Code handles AKS Bicep/Terraform provisioning (node pool configuration, networking mode, managed identity), Workload Identity setup (federated credential + service account annotation), Azure CNI vs kubenet decisions, and Application Gateway Ingress Controller configuration. Paste 'kubectl describe pod' or 'az aks show' output for troubleshooting — Claude diagnoses AKS-specific errors (AAD pod identity, AGIC misconfiguration, node pool autoscaler limits).

How do I use Claude Code with Azure DevOps pipelines?

Tell Claude your Azure DevOps org/project, the pipeline trigger (branch, PR, schedule), build steps (dotnet build, npm ci, docker build), and deployment stages (dev/staging/prod with approval gates). Claude generates azure-pipelines.yml using templates for reuse, environment resources for deployment tracking, and workload identity federation for Azure deployments — no stored credentials needed. It also generates variable group references and Key Vault task integration.

Claude Code for Azure — Bicep, Functions & AKS Workflows

Microsoft Azure powers enterprise infrastructure worldwide across App Service, Azure Functions, AKS, and Azure SQL. Claude Code dramatically accelerates Azure development when given context about your subscription structure, resource naming conventions, and IaC tooling. This guide covers CLAUDE.md templates, Bicep authoring, Azure Functions development, AKS setup, and Azure DevOps pipeline workflows.

Azure CLAUDE.md Template

# Project: [Your Service Name]

## Azure subscription structure
- Dev: sub-acme-dev (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
- Staging: sub-acme-staging (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
- Prod: sub-acme-prod (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
- Management: sub-acme-mgmt (Azure Monitor, shared ACR, Log Analytics)

## Resource group naming
- [project]-[env]-rg (e.g. acme-prod-rg)
- Networking in separate RG: [project]-network-[env]-rg
- Shared resources: [project]-shared-rg

## IaC tooling
- Bicep (primary) — all new infrastructure in bicep/
- Terraform (legacy modules in terraform/)
- Azure DevOps Pipelines (azure-pipelines.yml) for CI/CD

## Naming conventions (Azure CAF aligned)
- Resources: [type]-[project]-[env]-[region-short]-[suffix]
- Example: app-acme-prod-eus2-001 (App Service)
- Region shorts: eus2=eastus2, weu=westeurope, sea=southeastasia

## Key commands
```bash
az login --tenant TENANT_ID
az account set --subscription SUB_ID
az deployment group create --resource-group RG --template-file main.bicep --parameters main.bicepparam
az bicep build --file main.bicep                   # compile to ARM
az deployment group what-if --resource-group RG --template-file main.bicep  # preview changes
az functionapp logs tail --name FUNC_APP --resource-group RG
```

## Guardrails
- Never hardcode subscription IDs, connection strings, or keys — use Key Vault references
- Managed Identity required for all service-to-service auth (no stored credentials)
- RBAC: least privilege — use built-in roles where possible, custom roles only when needed
- All resources must be in the approved regions list (eastus2, westeurope, southeastasia)
- Diagnostic settings required on all resources (send to Log Analytics workspace)

Bicep Template Workflows

New Bicep module — App Service + SQL

claude "write a Bicep module for an App Service (Linux, B2 tier → P1v3 prod) hosting our .NET 9 API.
Parameters: appName, environment, location, sqlConnectionStringSecretUri (Key Vault reference).
Resources:
- App Service Plan (LinuxFxVersion: DOTNETCORE|9.0)
- App Service with system-assigned Managed Identity, always-on, health check path /health
- App Settings: ASPNETCORE_ENVIRONMENT from environment param, ConnectionStrings__Db from Key Vault reference
- Diagnostic settings → Log Analytics workspace (send AppServiceHTTPLogs + AppServiceConsoleLogs)
- Auto-scale rule: scale out at CPU >70% for 5min, scale in at CPU <30% for 15min (prod only, using condition expression)
Follow CAF naming conventions from CLAUDE.md."

Bicep module for AKS cluster

claude "write a Bicep module for an AKS cluster (Autopilot equivalent → use Azure CNI Overlay).
Parameters: clusterName, environment, nodeVmSize, minNodeCount, maxNodeCount, subnetId.
Configuration:
- Kubernetes version: 1.32
- System node pool: 3 nodes min, Standard_D4s_v5
- User node pool: autoscale 0–20, Standard_D8s_v5
- Azure CNI Overlay networking (not kubenet)
- Managed identity (system-assigned) with Contributor on the node resource group
- Azure AD integration + Azure RBAC for Kubernetes authorization
- Workload Identity enabled (oidcIssuerProfile.enabled: true)
- Microsoft Defender for Containers enabled
- Log Analytics workspace integration (all categories)
Output: clusterName, oidcIssuerUrl (needed for workload identity federation)"

Azure Functions Workflows

Trigger	Claude Code prompt	Key pattern
HTTP (C# isolated)	"write a C# .NET 9 isolated Azure Function handling POST /orders. Validate JSON body (FluentValidation), write to Cosmos DB, return 201 with location header."	Use IAsyncCollector for Cosmos output binding; inject ILogger
Timer (Python)	"write a Python Azure Function that runs at 00:00 UTC daily, queries Azure SQL for yesterday's transactions, and uploads a CSV to Blob Storage."	NCRONTAB expression 0 0 * * *; use DefaultAzureCredential for SQL
Service Bus (C#)	"write a C# Function triggered by Service Bus topic 'orders' subscription 'fulfillment'. Process in batches of 10, write to Cosmos DB, handle poison messages via dead-letter."	ServiceBusTrigger with IsSessionsEnabled for ordered processing
Event Hub (Python)	"write a Python Function that processes IoT telemetry from Event Hub 'sensor-data', validates schema, and writes to ADX (Azure Data Explorer) via ingestion queue."	Process as batch (List[str]); checkpoint every 100 events
Durable (C#)	"write a Durable Function orchestration for order fulfillment: CheckInventory → ReserveItems → ChargePayment → NotifyShipping. Each activity has retry policy (3 retries, 30s backoff)."	Fan-out/fan-in pattern; use Task.WhenAll for parallel activities

AKS + Workload Identity

claude "configure Workload Identity for our AKS cluster (Workload Identity enabled, OIDC issuer URL known).
Application: 'payments-api' pod in namespace 'production' needs to:
- Read secrets from Key Vault 'acme-prod-kv'
- Write to Azure Service Bus namespace 'acme-prod-sb'
- Read from Blob Storage container 'orders-prod' in account 'acmeprodsa'

Show all steps:
1. Create Azure Managed Identity 'payments-api-mi' and note its client ID
2. Create Kubernetes ServiceAccount with annotation azure.workload.identity/client-id
3. Create Federated Identity Credential (Bicep resource: federatedIdentityCredentials)
4. RBAC assignments: Key Vault Secrets User, Service Bus Data Sender, Storage Blob Data Reader
5. Pod spec annotations (azure.workload.identity/use: 'true')
6. Verify with: kubectl exec → env | grep AZURE"

Azure DevOps Pipeline Workflows

Multi-stage pipeline with workload identity

claude "write an azure-pipelines.yml for our .NET 9 API:
Trigger: main branch + PRs to main.
Stages:
1. Build: dotnet build + test + publish artifact
2. Deploy Dev: az deployment group create (Bicep), dotnet publish to App Service (no approval gate)
3. Deploy Staging: same, requires 1 approval from 'senior-devs' group
4. Deploy Prod: same, requires 2 approvals from 'platform-leads' group, deployment window 10:00-16:00 UTC weekdays

Use Workload Identity Federation for all Azure deployments (no stored secrets).
Cache NuGet packages between stages.
Publish test results and code coverage (Coverlet → Cobertura format).
Add a What-If stage before each deployment showing Bicep changes."

5 Tips for Azure + Claude Code

Tell Claude your Bicep API version preferences (e.g. "use Microsoft.Web/sites@2024-04-01 for App Service"). Claude uses the latest stable API unless told otherwise, but enterprise subscriptions sometimes have policy restrictions on preview APIs.
Always say "use DefaultAzureCredential" for authentication in Azure Functions and .NET apps. Claude knows this works seamlessly across local development (az login) and production (Managed Identity) without code changes.
Paste the output of az deployment group what-if when debugging Bicep changes — Claude interprets the what-if output and explains which resource deletions or recreations are safe vs. destructive.
For AKS troubleshooting, tell Claude whether you're using Azure CNI or kubenet, and whether Calico NetworkPolicy is enabled. Networking diagnostics differ significantly between these modes.
When writing Azure DevOps YAML, tell Claude your agent pool name and OS (windows-latest vs ubuntu-latest). .NET build steps and path separators differ between Windows and Linux agents.