Quickstart: Set up Azure Attestation with Azure CLI

Get started with Azure Attestation by using Azure CLI.


If you don't have an Azure subscription, create a free account before you begin.

Get started

  1. Install this extension using the below CLI command

    az extension add --name attestation
  2. Check the version

    az extension show --name attestation --query version
  3. Use the following command to sign into Azure:

    az login
  4. If needed, switch to the subscription for Azure Attestation:

    az account set --subscription 00000000-0000-0000-0000-000000000000
  5. Register the Microsoft.Attestation resource provider in the subscription with the az provider register command:

    az provider register --name Microsoft.Attestation

    For more information about Azure resource providers, and how to configure and manage them, see Azure resource providers and types.


    You only need to register a resource provider once for a subscription.

  6. Create a resource group for the attestation provider. You can put other Azure resources in the same resource group, including a virtual machine with a client application instance. Run the az group create command to create a resource group, or use an existing resource group:

    az group create --name attestationrg --location uksouth

Create and manage an attestation provider

Here are commands you can use to create and manage the attestation provider:

  1. Run the az attestation create command to create an attestation provider without policy signing requirement:

    az attestation create --name "myattestationprovider" --resource-group "MyResourceGroup" --location westus
  2. Run the az attestation show command to retrieve attestation provider properties such as status and AttestURI:

    az attestation show --name "myattestationprovider" --resource-group "MyResourceGroup"

    This command displays values like the following output:

    Location: MyLocation
    ResourceGroupName: MyResourceGroup
    Name: MyAttestationProvider
    Status: Ready
    TrustModel: AAD
    AttestUri: https://MyAttestationProvider.us.attest.azure.net

You can delete an attestation provider by using the az attestation delete command:

az attestation delete --name "myattestationprovider" --resource-group "sample-resource-group"

Policy management

Use the commands described here to provide policy management for an attestation provider, one attestation type at a time.

The az attestation policy show command returns the current policy for the specified TEE:

az attestation policy show --name "myattestationprovider" --resource-group "MyResourceGroup" --attestation-type SGX-IntelSDK


The command displays the policy in both text and JWT format.

The following are supported TEE types:

  • SGX-IntelSDK
  • SGX-OpenEnclaveSDK
  • TPM

Use the az attestation policy set command to set a new policy for the specified attestation type.

To set policy in text format for a given kind of attestation type using file path:

az attestation policy set --name testatt1 --resource-group testrg --attestation-type SGX-IntelSDK --new-attestation-policy-file "{file_path}"

To set policy in JWT format for a given kind of attestation type using file path:

az attestation policy set --name "myattestationprovider" --resource-group "MyResourceGroup" \
--attestation-type SGX-IntelSDK -f "{file_path}" --policy-format JWT

Next steps