Table of Contents
- Introduction to Azure Resource IDs
- The Azure Resource ID Format
- Scope Levels
- Subscription ID
- Resource Groups
- Resource Providers and Types
- Nested and Child Resources
- Resource ID Examples by Service
- Using Resource IDs in Azure CLI and PowerShell
- Resource IDs in ARM Templates and Bicep
- Common Mistakes
- Using Our Free Azure Resource ID Parser
Introduction to Azure Resource IDs
Every resource you create in Microsoft Azure — whether it is a virtual machine, a storage account, a Kubernetes cluster, or a network security group — is assigned a unique identifier known as an Azure Resource ID. These identifiers are the backbone of Azure Resource Manager (ARM), the deployment and management layer that organizes everything in the Azure cloud. Understanding Azure Resource IDs is not merely a nice-to-have; it is a fundamental skill for anyone who works with Azure at any serious level.
Azure Resource IDs appear in virtually every aspect of the platform. When you work in the Azure Portal, every resource's URL contains its resource ID. When you use the Azure CLI or Azure PowerShell, you reference resources by their IDs for targeted operations. ARM templates and Bicep files use the resourceId() function to create references between resources. Azure Policy evaluates resource IDs to enforce governance rules. Role-Based Access Control (RBAC) assigns permissions at specific scopes, each represented by a resource ID. The Azure SDKs for .NET, Python, Java, Go, and JavaScript all accept resource IDs as parameters for resource operations.
Despite their importance, Azure Resource IDs can be surprisingly long and complex, especially for nested or child resources. They follow a hierarchical path-based format that encodes the subscription, resource group, provider namespace, resource type, and resource name into a single string. Getting any segment wrong — a misspelled provider name, a missing parent resource, an incorrect case — can lead to cryptic errors that are difficult to debug.
This guide will walk you through every aspect of Azure Resource IDs. We will break down the format, explain each component, cover scope levels, document the most common resource providers and types, show how nested resources work, provide dozens of real-world examples, demonstrate CLI and PowerShell usage, explain ARM template and Bicep patterns, and highlight the most frequent mistakes. By the end, you will have a thorough and practical understanding of how Azure resource identifiers work.
The Azure Resource ID Format
Every Azure Resource ID follows a structured, hierarchical path format. The general syntax for a resource within a resource group is:
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{providerNamespace}/{resourceType}/{resourceName}Let us break down each segment in detail using a concrete example:
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm
| | | | | | | |
| | | | | | | +-- Resource Name
| | | | | | +-- Resource Type
| | | | | +-- Provider Namespace
| | | | +-- "providers" literal segment
| | | +-- Resource Group Name
| | +-- "resourceGroups" literal segment
| +-- Subscription ID (GUID)
+-- "subscriptions" literal segmentSegment 1: Leading Forward Slash
Every Azure Resource ID begins with a forward slash (/). This is a fixed prefix that signals the start of a resource path. Unlike AWS ARNs which use a arn: prefix, Azure uses a path-like structure reminiscent of a filesystem hierarchy. The leading slash is always present and must not be omitted.
Segment 2: Subscriptions
The literal segment subscriptions followed by the subscription GUID identifies which Azure subscription contains the resource. This is always the first level of the hierarchy for subscription-scoped resources. We cover subscription IDs in detail in the Subscription ID section.
Segment 3: Resource Groups
The literal segment resourceGroups followed by the resource group name identifies the logical container for the resource. Resource groups are a core organizational construct in Azure and are covered in the Resource Groups section.
Segment 4: Providers
The literal segment providers followed by the provider namespace (such as Microsoft.Compute or Microsoft.Storage) identifies which Azure resource provider manages the resource. The provider namespace is a two-part name with a company prefix and a service name, separated by a dot. We provide a comprehensive table of providers in the Resource Providers section.
Segment 5: Resource Type and Name
The resource type (such as virtualMachines or storageAccounts) and resource name (such as my-vm or mystorageaccount) identify the specific type and instance of the resource. For nested resources, additional type/name pairs are appended to form a longer path. We explore nested resources in the Nested Resources section.
Here is another fully annotated example with a different resource type:
# Azure Storage Account Resource ID
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/prod-storage-rg/providers/Microsoft.Storage/storageAccounts/proddata2026
# Breakdown:
# /subscriptions/12345678-... - Subscription (GUID identifier)
# /resourceGroups/prod-storage-rg - Resource group name
# /providers/Microsoft.Storage - Provider namespace (Azure Storage)
# /storageAccounts - Resource type
# /proddata2026 - Resource nameScope Levels
Azure organizes resources into a hierarchy of four scope levels. Each scope level has its own resource ID format, and understanding these levels is critical for working with RBAC, Azure Policy, and resource management. The four levels, from broadest to narrowest, are: Tenant, Management Group, Subscription, and Resource Group.
Tenant Scope
The tenant is the top-level scope representing your Azure Active Directory (Entra ID) instance. Tenant-level resource IDs are used for operations that span the entire organization, such as management group creation and tenant-wide policy assignments. The resource ID format at the tenant scope is simply:
# Tenant root
/
# Tenant-level resource (e.g., a management group created at tenant root)
/providers/Microsoft.Management/managementGroups/my-management-group
# Tenant-level policy definition
/providers/Microsoft.Authorization/policyDefinitions/my-custom-policyTenant-scoped resource IDs do not include a subscription or resource group segment because they exist above those levels in the hierarchy.
Management Group Scope
Management groups are optional containers that sit between the tenant and subscriptions. They allow you to organize subscriptions into groups for applying governance controls like Azure Policy and RBAC at scale. The resource ID format for management group scope is:
# Management group
/providers/Microsoft.Management/managementGroups/my-management-group
# Policy assignment at management group scope
/providers/Microsoft.Management/managementGroups/my-management-group/providers/Microsoft.Authorization/policyAssignments/enforce-tagging
# Role assignment at management group scope
/providers/Microsoft.Management/managementGroups/my-management-group/providers/Microsoft.Authorization/roleAssignments/11111111-2222-3333-4444-555555555555Subscription Scope
The subscription is the primary billing and access control boundary in Azure. Most resource IDs begin at the subscription scope. Subscription-level resource IDs include the subscription GUID but do not include a resource group:
# Subscription itself
/subscriptions/12345678-1234-1234-1234-123456789abc
# Resource provider registration at subscription scope
/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Compute
# Policy assignment at subscription scope
/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Authorization/policyAssignments/enforce-naming
# Role assignment at subscription scope
/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Authorization/roleAssignments/11111111-2222-3333-4444-555555555555
# Subscription-level resource (resource group itself)
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/my-resource-groupResource Group Scope
The resource group scope is the most common scope for Azure resources. This is where the vast majority of Azure resources live — virtual machines, storage accounts, databases, networking resources, and more. The resource ID format at this scope includes the full path:
# Resource group itself
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/my-rg
# Resource within a resource group
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm
# RBAC role assignment scoped to a specific resource
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm/providers/Microsoft.Authorization/roleAssignments/11111111-2222-3333-4444-555555555555Notice how RBAC role assignments can be scoped at any level in the hierarchy. A role assignment on a specific virtual machine would include the full path to the VM followed by the authorization provider path.
Subscription ID
The subscription ID is a globally unique identifier (GUID) that identifies your Azure subscription. It follows the standard GUID format of 8-4-4-4-12 hexadecimal characters, separated by hyphens:
# GUID format: 8-4-4-4-12
12345678-1234-1234-1234-123456789abc
# Real-world example
a1b2c3d4-e5f6-7890-abcd-ef1234567890
The subscription ID is a fundamental component of virtually every resource ID in Azure. It appears immediately after the /subscriptions/ segment and uniquely identifies the billing and access boundary in which a resource exists.
Where to Find Your Subscription ID
You can find your subscription ID in several ways:
# Azure CLI
az account show --query id --output tsv
# Azure PowerShell
(Get-AzContext).Subscription.Id
# Azure CLI - list all subscriptions
az account list --query "[].{Name:name, Id:id}" --output table
In the Azure Portal, navigate to the Subscriptions blade and the ID is displayed in the overview for each subscription. You can also see it in the URL bar when viewing any resource — it is the GUID that appears after /subscriptions/ in the URL.
Multi-Subscription Architectures
In enterprise environments, organizations often use multiple subscriptions to isolate workloads, environments (dev/staging/production), or business units. Each subscription has its own unique ID, and resource IDs from different subscriptions will differ in the subscription segment even if the resource group and resource names are identical:
# Same resource name in different subscriptions
/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/web-server
/subscriptions/11111111-2222-3333-4444-555555555555/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/web-serverThese are two completely different virtual machines in two different subscriptions, even though they share the same resource group name and VM name. The subscription ID is what makes each resource ID globally unique.
Resource Groups
Resource groups are logical containers in Azure that hold related resources for an application, environment, or project. Every resource deployed at the resource group scope must belong to exactly one resource group. The resource group name appears in the resource ID immediately after the /resourceGroups/ segment.
Naming Constraints
Resource group names have specific constraints: they can be up to 90 characters long and may contain alphanumeric characters, hyphens, underscores, parentheses, and periods. They cannot end with a period. Common naming conventions include patterns like rg-projectname-environment-region or projectname-environment-rg.
Case Insensitivity in Resource IDs
An important characteristic of Azure Resource IDs is that they are case-insensitive. This means the following resource IDs all refer to the same resource:
# All of these refer to the same resource
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/my-vm
/subscriptions/12345678-1234-1234-1234-123456789abc/resourcegroups/myresourcegroup/providers/microsoft.compute/virtualmachines/my-vm
/subscriptions/12345678-1234-1234-1234-123456789abc/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/MY-VM
While Azure treats resource IDs as case-insensitive, the ARM API typically returns them in a canonical casing. It is good practice to use consistent casing in your code and configuration files to avoid confusion, even though Azure will accept any casing. The canonical form uses camelCase for segment names like resourceGroups, virtualMachines, and storageAccounts.
Resource Group in the Resource ID
The resource group name is always present in the resource ID for resource-group-scoped resources. It appears between /resourceGroups/ and /providers/:
/subscriptions/12345678-.../resourceGroups/prod-web-rg/providers/Microsoft.Web/sites/my-app
# The resource group is: prod-web-rgIf you move a resource to a different resource group (which Azure supports for many resource types), the resource ID changes because the resource group segment is different. This is an important consideration for any automation or configuration that references resources by their full ID.
Resource Providers and Types
Azure resource providers are services that supply the resource types you can deploy and manage. Each provider has a namespace following the format CompanyName.ServiceName, and most Azure services use the Microsoft. prefix. The provider namespace and resource type together determine what kind of resource the ID refers to.
Below is a comprehensive table of the most commonly used Azure resource providers, their resource types, and what they represent:
Microsoft.Compute
# Virtual Machines
Microsoft.Compute/virtualMachines
# Managed Disks
Microsoft.Compute/disks
# Virtual Machine Scale Sets
Microsoft.Compute/virtualMachineScaleSets
# Availability Sets
Microsoft.Compute/availabilitySets
# Images
Microsoft.Compute/images
# Snapshots
Microsoft.Compute/snapshots
# Proximity Placement Groups
Microsoft.Compute/proximityPlacementGroupsMicrosoft.Storage
# Storage Accounts
Microsoft.Storage/storageAccounts
# Blob Containers (child resource)
Microsoft.Storage/storageAccounts/blobServices/containers
# File Shares (child resource)
Microsoft.Storage/storageAccounts/fileServices/shares
# Queues (child resource)
Microsoft.Storage/storageAccounts/queueServices/queues
# Tables (child resource)
Microsoft.Storage/storageAccounts/tableServices/tablesMicrosoft.Network
# Virtual Networks
Microsoft.Network/virtualNetworks
# Subnets (child resource)
Microsoft.Network/virtualNetworks/subnets
# Network Security Groups
Microsoft.Network/networkSecurityGroups
# Network Interfaces
Microsoft.Network/networkInterfaces
# Public IP Addresses
Microsoft.Network/publicIPAddresses
# Load Balancers
Microsoft.Network/loadBalancers
# Application Gateways
Microsoft.Network/applicationGateways
# Azure Firewalls
Microsoft.Network/azureFirewalls
# DNS Zones
Microsoft.Network/dnsZones
# Private DNS Zones
Microsoft.Network/privateDnsZones
# Virtual Network Gateways
Microsoft.Network/virtualNetworkGateways
# Route Tables
Microsoft.Network/routeTablesMicrosoft.Sql
# SQL Servers
Microsoft.Sql/servers
# SQL Databases (child resource)
Microsoft.Sql/servers/databases
# Elastic Pools (child resource)
Microsoft.Sql/servers/elasticPools
# Firewall Rules (child resource)
Microsoft.Sql/servers/firewallRulesMicrosoft.Web
# App Service (Web Apps)
Microsoft.Web/sites
# App Service Plans
Microsoft.Web/serverfarms
# Function Apps (same type as Web Apps)
Microsoft.Web/sites
# Deployment Slots (child resource)
Microsoft.Web/sites/slots
# App Service Certificates
Microsoft.Web/certificatesMicrosoft.KeyVault
# Key Vaults
Microsoft.KeyVault/vaults
# Secrets (child resource, data plane)
Microsoft.KeyVault/vaults/secrets
# Keys (child resource, data plane)
Microsoft.KeyVault/vaults/keys
# Certificates (child resource)
Microsoft.KeyVault/vaults/certificatesMicrosoft.ContainerService
# Azure Kubernetes Service (AKS) Clusters
Microsoft.ContainerService/managedClusters
# AKS Agent Pools (child resource)
Microsoft.ContainerService/managedClusters/agentPoolsMicrosoft.ContainerRegistry
# Azure Container Registry
Microsoft.ContainerRegistry/registries
# Replications (child resource)
Microsoft.ContainerRegistry/registries/replications
# Webhooks (child resource)
Microsoft.ContainerRegistry/registries/webhooksMicrosoft.DocumentDB
# Cosmos DB Accounts
Microsoft.DocumentDB/databaseAccounts
# Cosmos DB SQL Databases (child resource)
Microsoft.DocumentDB/databaseAccounts/sqlDatabases
# Cosmos DB SQL Containers (child resource)
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containersMicrosoft.EventHub
# Event Hub Namespaces
Microsoft.EventHub/namespaces
# Event Hubs (child resource)
Microsoft.EventHub/namespaces/eventhubs
# Consumer Groups (child resource)
Microsoft.EventHub/namespaces/eventhubs/consumergroupsMicrosoft.ServiceBus
# Service Bus Namespaces
Microsoft.ServiceBus/namespaces
# Queues (child resource)
Microsoft.ServiceBus/namespaces/queues
# Topics (child resource)
Microsoft.ServiceBus/namespaces/topics
# Subscriptions (child of topic)
Microsoft.ServiceBus/namespaces/topics/subscriptionsMicrosoft.Insights
# Application Insights Components
Microsoft.Insights/components
# Metric Alerts
Microsoft.Insights/metricAlerts
# Activity Log Alerts
Microsoft.Insights/activityLogAlerts
# Action Groups
Microsoft.Insights/actionGroups
# Diagnostic Settings (extension resource)
Microsoft.Insights/diagnosticSettingsMicrosoft.OperationalInsights
# Log Analytics Workspaces
Microsoft.OperationalInsights/workspaces
# Saved Searches (child resource)
Microsoft.OperationalInsights/workspaces/savedSearchesMicrosoft.CognitiveServices
# Cognitive Services Accounts (OpenAI, Language, Vision, etc.)
Microsoft.CognitiveServices/accounts
# Deployments (child resource, used for Azure OpenAI model deployments)
Microsoft.CognitiveServices/accounts/deploymentsMicrosoft.MachineLearningServices
# Azure Machine Learning Workspaces
Microsoft.MachineLearningServices/workspaces
# Compute Instances (child resource)
Microsoft.MachineLearningServices/workspaces/computes
# Online Endpoints (child resource)
Microsoft.MachineLearningServices/workspaces/onlineEndpointsNested and Child Resources
Many Azure resources have a parent-child relationship. A child resource exists within the context of its parent and cannot exist independently. In the resource ID, child resources are represented by appending additional resource type and name segments after the parent resource. This creates a longer, hierarchical path that encodes the full ancestry of the resource.
The general pattern for a nested resource is:
/subscriptions/{subscriptionId}/resourceGroups/{rgName}/providers/{namespace}/{parentType}/{parentName}/{childType}/{childName}For deeply nested resources, this pattern can extend further with additional type/name pairs. Let us look at specific examples for common parent-child relationships.
Virtual Network and Subnets
Subnets are child resources of virtual networks. A subnet cannot exist outside a VNet, and its resource ID reflects this hierarchy:
# Parent: Virtual Network
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/network-rg/providers/Microsoft.Network/virtualNetworks/prod-vnet
# Child: Subnet within the VNet
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/network-rg/providers/Microsoft.Network/virtualNetworks/prod-vnet/subnets/app-subnet
Notice that the subnet's resource ID is the VNet's resource ID with /subnets/app-subnet appended. The subnet type (subnets) does not need to be prefixed with the provider namespace because it inherits the namespace from its parent.
SQL Server and Databases
Azure SQL databases are child resources of SQL logical servers:
# Parent: SQL Server
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/data-rg/providers/Microsoft.Sql/servers/prod-sql-server
# Child: Database within the server
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/data-rg/providers/Microsoft.Sql/servers/prod-sql-server/databases/customer-db
# Child: Firewall rule on the server
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/data-rg/providers/Microsoft.Sql/servers/prod-sql-server/firewallRules/allow-azure-servicesKey Vault and Secrets
Key Vault secrets, keys, and certificates are child resources of the vault:
# Parent: Key Vault
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/security-rg/providers/Microsoft.KeyVault/vaults/prod-keyvault
# Child: Secret within the vault
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/security-rg/providers/Microsoft.KeyVault/vaults/prod-keyvault/secrets/database-connection-string
# Child: Key within the vault
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/security-rg/providers/Microsoft.KeyVault/vaults/prod-keyvault/keys/encryption-keyStorage Account and Containers
Blob containers in Azure Storage have a three-level nesting: storage account, blob service, and container:
# Parent: Storage Account
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/storage-rg/providers/Microsoft.Storage/storageAccounts/proddata2026
# Intermediate: Blob Service (always named "default")
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/storage-rg/providers/Microsoft.Storage/storageAccounts/proddata2026/blobServices/default
# Child: Blob Container
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/storage-rg/providers/Microsoft.Storage/storageAccounts/proddata2026/blobServices/default/containers/uploads
The blobServices/default intermediate segment is a common pattern in Azure. Several services have a "default" service layer between the parent resource and its children. This might seem redundant, but it allows Azure to support multiple service types within the same parent resource (blob, file, queue, and table services within a storage account, for example).
Event Hub Namespace, Event Hub, and Consumer Group
Event Hubs demonstrates a three-level nesting:
# Level 1: Event Hub Namespace
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/messaging-rg/providers/Microsoft.EventHub/namespaces/prod-eventhub-ns
# Level 2: Event Hub within the Namespace
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/messaging-rg/providers/Microsoft.EventHub/namespaces/prod-eventhub-ns/eventhubs/order-events
# Level 3: Consumer Group within the Event Hub
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/messaging-rg/providers/Microsoft.EventHub/namespaces/prod-eventhub-ns/eventhubs/order-events/consumergroups/analytics-processorResource ID Examples by Service
Below are real-world Azure Resource ID examples organized by service. These cover the most commonly used Azure services and can serve as a quick reference when constructing or parsing resource IDs.
Compute
# Virtual Machine
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/compute-rg/providers/Microsoft.Compute/virtualMachines/web-server-01
# Managed Disk
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/compute-rg/providers/Microsoft.Compute/disks/web-server-01-osdisk
# Virtual Machine Scale Set
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/compute-rg/providers/Microsoft.Compute/virtualMachineScaleSets/web-vmss
# Availability Set
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/compute-rg/providers/Microsoft.Compute/availabilitySets/web-avsetStorage
# Storage Account
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/storage-rg/providers/Microsoft.Storage/storageAccounts/proddata2026
# Blob Container
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/storage-rg/providers/Microsoft.Storage/storageAccounts/proddata2026/blobServices/default/containers/images
# File Share
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/storage-rg/providers/Microsoft.Storage/storageAccounts/proddata2026/fileServices/default/shares/team-filesNetworking
# Virtual Network
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/network-rg/providers/Microsoft.Network/virtualNetworks/prod-vnet
# Subnet
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/network-rg/providers/Microsoft.Network/virtualNetworks/prod-vnet/subnets/backend-subnet
# Network Security Group
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/network-rg/providers/Microsoft.Network/networkSecurityGroups/web-nsg
# Public IP Address
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/network-rg/providers/Microsoft.Network/publicIPAddresses/web-lb-pip
# Load Balancer
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/network-rg/providers/Microsoft.Network/loadBalancers/web-lb
# Application Gateway
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/network-rg/providers/Microsoft.Network/applicationGateways/web-appgwDatabases
# Azure SQL Database
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/data-rg/providers/Microsoft.Sql/servers/prod-sql/databases/orders-db
# Cosmos DB Account
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/data-rg/providers/Microsoft.DocumentDB/databaseAccounts/prod-cosmos
# Cosmos DB SQL Database
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/data-rg/providers/Microsoft.DocumentDB/databaseAccounts/prod-cosmos/sqlDatabases/app-data
# Azure Database for PostgreSQL Flexible Server
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/data-rg/providers/Microsoft.DBforPostgreSQL/flexibleServers/prod-postgresWeb and App Services
# App Service (Web App)
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/web-rg/providers/Microsoft.Web/sites/my-web-app
# App Service Plan
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/web-rg/providers/Microsoft.Web/serverfarms/my-app-plan
# Function App
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/web-rg/providers/Microsoft.Web/sites/my-function-app
# Deployment Slot
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/web-rg/providers/Microsoft.Web/sites/my-web-app/slots/stagingContainers
# Azure Kubernetes Service (AKS) Cluster
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/k8s-rg/providers/Microsoft.ContainerService/managedClusters/prod-aks
# AKS Agent Pool
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/k8s-rg/providers/Microsoft.ContainerService/managedClusters/prod-aks/agentPools/systempool
# Azure Container Registry
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/k8s-rg/providers/Microsoft.ContainerRegistry/registries/prodacr2026Security and Identity
# Key Vault
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/security-rg/providers/Microsoft.KeyVault/vaults/prod-keyvault
# Key Vault Secret
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/security-rg/providers/Microsoft.KeyVault/vaults/prod-keyvault/secrets/api-key
# Managed Identity (User-Assigned)
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/app-identityMonitoring and AI
# Application Insights
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/monitoring-rg/providers/Microsoft.Insights/components/my-app-insights
# Log Analytics Workspace
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/monitoring-rg/providers/Microsoft.OperationalInsights/workspaces/central-logs
# Azure OpenAI Service
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/ai-rg/providers/Microsoft.CognitiveServices/accounts/my-openai
# Azure Machine Learning Workspace
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/ml-rg/providers/Microsoft.MachineLearningServices/workspaces/ml-workspaceUsing Resource IDs in Azure CLI and PowerShell
One of the most powerful uses of Azure Resource IDs is in command-line operations. Both the Azure CLI and Azure PowerShell accept resource IDs for targeted resource management, and understanding how to use them effectively can dramatically speed up your workflows.
Azure CLI: The --ids Parameter
The Azure CLI supports a --ids parameter on most resource commands. When you provide a full resource ID, you do not need to separately specify the resource name, resource group, or subscription — all of that information is encoded in the ID:
# Instead of specifying each parameter individually:
az vm show --resource-group compute-rg --name web-server-01
# You can use the resource ID directly:
az vm show --ids /subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/compute-rg/providers/Microsoft.Compute/virtualMachines/web-server-01
# Delete a resource by ID
az resource delete --ids /subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/storage-rg/providers/Microsoft.Storage/storageAccounts/oldstorageaccount
# Show any resource by ID (generic command)
az resource show --ids /subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/data-rg/providers/Microsoft.Sql/servers/prod-sql/databases/orders-dbOperating on Multiple Resources by ID
The --ids parameter accepts multiple resource IDs, allowing you to perform operations on several resources at once:
# Stop multiple VMs at once
az vm stop --ids \
/subscriptions/12345678-.../resourceGroups/compute-rg/providers/Microsoft.Compute/virtualMachines/vm-01 \
/subscriptions/12345678-.../resourceGroups/compute-rg/providers/Microsoft.Compute/virtualMachines/vm-02 \
/subscriptions/12345678-.../resourceGroups/compute-rg/providers/Microsoft.Compute/virtualMachines/vm-03
# Delete multiple resources
az resource delete --ids \
/subscriptions/12345678-.../resourceGroups/test-rg/providers/Microsoft.Network/publicIPAddresses/test-ip-1 \
/subscriptions/12345678-.../resourceGroups/test-rg/providers/Microsoft.Network/publicIPAddresses/test-ip-2Capturing Resource IDs from CLI Output
Many Azure CLI commands return the resource ID in their output. You can capture this for use in subsequent commands:
# Capture the resource ID of a newly created resource
VNET_ID=$(az network vnet create \
--resource-group network-rg \
--name prod-vnet \
--address-prefix 10.0.0.0/16 \
--query id --output tsv)
echo $VNET_ID
# /subscriptions/12345678-.../resourceGroups/network-rg/providers/Microsoft.Network/virtualNetworks/prod-vnet
# Use the captured ID in another command
SUBNET_ID=$(az network vnet subnet create \
--vnet-name prod-vnet \
--resource-group network-rg \
--name app-subnet \
--address-prefix 10.0.1.0/24 \
--query id --output tsv)
# Reference the subnet ID when creating a NIC
az network nic create \
--resource-group compute-rg \
--name web-nic \
--subnet $SUBNET_IDAzure PowerShell: Get-AzResource and Resource IDs
Azure PowerShell also works extensively with resource IDs. The Get-AzResource cmdlet can retrieve any resource by its ID, and most resource-specific cmdlets accept a -ResourceId parameter:
# Get any resource by its ID
Get-AzResource -ResourceId "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/compute-rg/providers/Microsoft.Compute/virtualMachines/web-server-01"
# Get a VM specifically
Get-AzVM -ResourceId "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/compute-rg/providers/Microsoft.Compute/virtualMachines/web-server-01"
# Remove a resource by ID
Remove-AzResource -ResourceId "/subscriptions/12345678-.../resourceGroups/test-rg/providers/Microsoft.Storage/storageAccounts/teststorage" -Force
# Get the resource ID of an existing resource
$vm = Get-AzVM -ResourceGroupName "compute-rg" -Name "web-server-01"
$vm.Id
# /subscriptions/12345678-.../resourceGroups/compute-rg/providers/Microsoft.Compute/virtualMachines/web-server-01Cross-Subscription Operations
Resource IDs shine when performing cross-subscription operations because the subscription context is embedded in the ID:
# No need to switch subscription context - the ID contains the subscription
az resource show --ids /subscriptions/OTHER-SUB-GUID/resourceGroups/shared-rg/providers/Microsoft.Network/virtualNetworks/shared-vnet
# In PowerShell, same principle
Get-AzResource -ResourceId "/subscriptions/OTHER-SUB-GUID/resourceGroups/shared-rg/providers/Microsoft.Network/virtualNetworks/shared-vnet"Resource IDs in ARM Templates and Bicep
Azure Resource Manager (ARM) templates and Bicep files are the native infrastructure-as-code solutions for Azure. Both rely heavily on resource IDs for creating references between resources, and both provide built-in functions for constructing resource IDs dynamically.
The resourceId() Function in ARM Templates
The resourceId() function is one of the most frequently used template functions. It constructs a fully qualified resource ID from the resource type and name:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2023-05-01",
"name": "web-nic",
"location": "[resourceGroup().location]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'prod-vnet', 'app-subnet')]"
},
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', 'web-pip')]"
}
}
}
],
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'web-nsg')]"
}
}
}
]
}
The resourceId() function automatically prepends the current subscription and resource group context. For nested resources like subnets, you pass the parent and child names as separate arguments.
Cross-Resource-Group References
When referencing resources in a different resource group, pass the resource group name as the first parameter:
# Reference a VNet in a different resource group
"[resourceId('network-rg', 'Microsoft.Network/virtualNetworks', 'shared-vnet')]"
# Reference a resource in a different subscription and resource group
"[resourceId('other-subscription-id', 'network-rg', 'Microsoft.Network/virtualNetworks', 'shared-vnet')]"The reference() Function
The reference() function retrieves the runtime properties of a resource using its resource ID. This is essential for accessing properties that are only known after deployment:
# Get the FQDN of a public IP address
"[reference(resourceId('Microsoft.Network/publicIPAddresses', 'web-pip')).dnsSettings.fqdn]"
# Get the primary endpoint of a storage account
"[reference(resourceId('Microsoft.Storage/storageAccounts', 'proddata2026')).primaryEndpoints.blob]"Bicep: Resource References
Bicep simplifies resource ID handling significantly compared to ARM templates. You can reference resources by their symbolic names, and Bicep automatically resolves the resource ID:
// Bicep - resources reference each other by symbolic name
resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
name: 'prod-vnet'
location: resourceGroup().location
properties: {
addressSpace: {
addressPrefixes: ['10.0.0.0/16']
}
}
}
resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-05-01' = {
parent: vnet
name: 'app-subnet'
properties: {
addressPrefix: '10.0.1.0/24'
}
}
resource nic 'Microsoft.Network/networkInterfaces@2023-05-01' = {
name: 'web-nic'
location: resourceGroup().location
properties: {
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
subnet: {
id: subnet.id // Bicep resolves the resource ID automatically
}
}
}
]
}
}
// Output the full resource ID
output nicId string = nic.id
output subnetId string = subnet.id
In Bicep, subnet.id automatically resolves to the full resource ID path. The parent keyword establishes the parent-child relationship for nested resources, and Bicep handles constructing the correct resource ID with all segments.
Existing Resource References in Bicep
When you need to reference a resource that already exists (not defined in the current template), use the existing keyword:
// Reference an existing VNet in a different resource group
resource existingVnet 'Microsoft.Network/virtualNetworks@2023-05-01' existing = {
name: 'shared-vnet'
scope: resourceGroup('network-rg')
}
// Use the resource ID
resource nic 'Microsoft.Network/networkInterfaces@2023-05-01' = {
name: 'web-nic'
location: resourceGroup().location
properties: {
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
subnet: {
id: '${existingVnet.id}/subnets/app-subnet'
}
}
}
]
}
}Common Mistakes
Working with Azure Resource IDs involves many segments and naming conventions. Getting any of them wrong can lead to "resource not found" errors, failed deployments, or misconfigured RBAC assignments. Here are the most common mistakes and how to avoid them.
Wrong Casing of Segment Names
While Azure Resource IDs are case-insensitive at runtime, inconsistent casing can cause problems with string comparisons in scripts, policy evaluations, and certain SDK operations. Always use the canonical camelCase form:
# INCONSISTENT - may cause issues in string comparisons
/subscriptions/.../Resourcegroups/my-rg/Providers/microsoft.compute/Virtualmachines/my-vm
# CANONICAL - use this form consistently
/subscriptions/.../resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm
Pay particular attention to resourceGroups (capital G), provider namespaces like Microsoft.Compute (capital M, capital C), and resource types like virtualMachines (capital M).
Missing Segments in the Path
Forgetting a segment in the resource ID is a common error, especially for nested resources. Every level of the hierarchy must be present:
# WRONG - missing "blobServices/default" intermediate segment
/subscriptions/.../resourceGroups/rg/providers/Microsoft.Storage/storageAccounts/myaccount/containers/mycontainer
# CORRECT - includes the intermediate service segment
/subscriptions/.../resourceGroups/rg/providers/Microsoft.Storage/storageAccounts/myaccount/blobServices/default/containers/mycontainer
# WRONG - missing "providers" segment
/subscriptions/.../resourceGroups/rg/Microsoft.Compute/virtualMachines/my-vm
# CORRECT - includes the "providers" segment
/subscriptions/.../resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/my-vmWrong Provider Namespace
Using the wrong provider namespace is a subtle mistake. Some services have non-obvious provider names:
# WRONG - Cosmos DB does not use "Microsoft.CosmosDB"
/subscriptions/.../resourceGroups/rg/providers/Microsoft.CosmosDB/accounts/my-cosmos
# CORRECT - Cosmos DB uses "Microsoft.DocumentDB"
/subscriptions/.../resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/my-cosmos
# WRONG - AKS does not use "Microsoft.Kubernetes"
/subscriptions/.../resourceGroups/rg/providers/Microsoft.Kubernetes/clusters/my-aks
# CORRECT - AKS uses "Microsoft.ContainerService/managedClusters"
/subscriptions/.../resourceGroups/rg/providers/Microsoft.ContainerService/managedClusters/my-aks
# WRONG - App Service is not "Microsoft.AppService"
/subscriptions/.../resourceGroups/rg/providers/Microsoft.AppService/webApps/my-app
# CORRECT - App Service uses "Microsoft.Web/sites"
/subscriptions/.../resourceGroups/rg/providers/Microsoft.Web/sites/my-appIncomplete Nested Resource Paths
When working with nested resources, you must include the complete parent path. Omitting any part of the hierarchy results in an invalid resource ID:
# WRONG - subnet without the parent VNet
/subscriptions/.../resourceGroups/rg/providers/Microsoft.Network/subnets/my-subnet
# CORRECT - subnet includes the parent VNet
/subscriptions/.../resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/my-subnet
# WRONG - SQL database without the parent server
/subscriptions/.../resourceGroups/rg/providers/Microsoft.Sql/databases/my-db
# CORRECT - SQL database includes the parent server
/subscriptions/.../resourceGroups/rg/providers/Microsoft.Sql/servers/my-server/databases/my-dbSubscription vs. Resource Group Scope Confusion
Some operations require resource IDs at specific scopes. Providing a resource-group-scoped ID when a subscription-scoped ID is expected (or vice versa) will fail:
# Subscription-scoped policy assignment
/subscriptions/12345678-.../providers/Microsoft.Authorization/policyAssignments/enforce-tagging
# Resource-group-scoped policy assignment (different scope!)
/subscriptions/12345678-.../resourceGroups/my-rg/providers/Microsoft.Authorization/policyAssignments/enforce-tagging
# These are TWO DIFFERENT policy assignments at different scopesLeading Slash Omission
Azure Resource IDs always begin with a forward slash. While some APIs may be forgiving about this, omitting the leading slash can cause failures in string comparisons, SDK operations, and ARM template functions:
# WRONG - missing leading slash
subscriptions/12345678-.../resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/my-vm
# CORRECT - includes leading slash
/subscriptions/12345678-.../resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/my-vmTrailing Slash
Adding a trailing slash to a resource ID is another common mistake. Resource IDs should not end with a slash:
# WRONG - trailing slash
/subscriptions/12345678-.../resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/my-vm/
# CORRECT - no trailing slash
/subscriptions/12345678-.../resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/my-vmUsing Our Free Azure Resource ID Parser
While understanding the Azure Resource ID format is valuable, manually parsing and validating these long, hierarchical strings in your daily workflow is tedious and error-prone. That is why we built the QuickUtil Azure Resource ID Parser — a free, browser-based tool that instantly breaks down any Azure Resource ID into its component parts.
The QuickUtil Azure Resource ID Parser provides:
- Instant Parsing: Paste any Azure Resource ID and instantly see its subscription, resource group, provider namespace, resource type, resource name, and any parent-child relationships broken out into clearly labeled fields.
- Scope Detection: The parser automatically identifies whether the resource ID is at the tenant, management group, subscription, or resource group scope level.
- Nested Resource Handling: Child and deeply nested resources are parsed correctly, with each level of the hierarchy clearly displayed.
- Validation: The parser validates the resource ID format and highlights structural errors, such as missing segments, incorrect provider namespaces, or malformed GUIDs.
- No Data Transmitted: Everything runs in your browser. Your resource IDs — which may contain subscription IDs, resource group names, and resource names — are never sent to any server.
Whether you are debugging an ARM template deployment, reviewing Azure Policy compliance results, setting up RBAC assignments, or simply trying to understand which resource a long ID refers to, the QuickUtil Azure Resource ID Parser saves you time and reduces errors.
Parse and Validate Azure Resource IDs Instantly
Stop manually dissecting long resource ID strings. Use our free Azure Resource ID Parser to instantly break down, validate, and understand any ARM resource identifier.
Try the Azure Resource ID Parser NowRelated Articles
AWS ARN Format Explained: Complete Guide to Amazon Resource Names
Master the AWS ARN format with this comprehensive guide covering ARN structure, partitions, service namespaces, region codes, and real-world examples.
The Complete Guide to Kubernetes YAML Configuration
Master Kubernetes YAML configuration with this comprehensive guide covering Deployments, Services, StatefulSets, and best practices.
Understanding GCP Resource Identifiers and Self Links
Learn how Google Cloud Platform resource identifiers work, from project IDs to self links and resource names.