List all Azure Cosmos DB accounts in the current subscription.

The subscription is resolved automatically — first from the AZURE_SUBSCRIPTION_ID environment variable, then from the active 'az login' session. If neither is available, an error is returned with instructions.

List all databases in an Azure Cosmos DB account.

Returns a sorted JSON array of database names. The account can be given as a short name (e.g. my-cosmos-account) or as a full endpoint URL — the https:// prefix and .documents.azure.com suffix will be added automatically if missing.

key_env_var: name of the environment variable holding the Cosmos DB account key. If the variable is set, key-based auth is used; otherwise DefaultAzureCredential is used.

List all containers in a Cosmos DB database.

Returns a sorted JSON array of container names. The account can be given as a short name or full endpoint URL.

key_env_var: name of the environment variable holding the Cosmos DB account key. If the variable is set, key-based auth is used; otherwise DefaultAzureCredential is used.

Get metadata for a Cosmos DB container.

Returns partition key path, indexing policy, default TTL, unique key policy, and system properties (_self, _etag, _ts). The account can be given as a short name or full endpoint URL.

key_env_var: name of the environment variable holding the Cosmos DB account key. If the variable is set, key-based auth is used; otherwise DefaultAzureCredential is used.

Run a SQL query against a Cosmos DB container and return results.

Uses Cosmos DB SQL API syntax, e.g.: SELECT * FROM c WHERE c.status = 'active' SELECT c.id, c.name FROM c ORDER BY c._ts DESC

max_items is capped at 1000. Cross-partition queries are enabled automatically. Use cosmosdb_query_items_to_file instead if the result set may be large.

key_env_var: name of the environment variable holding the Cosmos DB account key. If the variable is set, key-based auth is used; otherwise DefaultAzureCredential is used.

Run a SQL query against a Cosmos DB container and save results to a file.

Results are written to output_file as a JSON array. Only the item count is returned in context — use this variant when the result set may be large to avoid filling the context window. max_items is capped at 1000.

key_env_var: name of the environment variable holding the Cosmos DB account key. If the variable is set, key-based auth is used; otherwise DefaultAzureCredential is used.

Count items in a Cosmos DB container, with an optional filter.

where accepts a SQL WHERE clause body (without the WHERE keyword), e.g.: c.status = 'active' c.createdAt > '2025-01-01'

If where is omitted, counts all items in the container. Returns a JSON object with a 'count' field.

key_env_var: name of the environment variable holding the Cosmos DB account key. If the variable is set, key-based auth is used; otherwise DefaultAzureCredential is used.

Read a single item from a Cosmos DB container by ID and partition key.

Returns the full item document as JSON. Both item_id and partition_key are required — Cosmos DB requires the partition key for efficient point reads.

key_env_var: name of the environment variable holding the Cosmos DB account key. If the variable is set, key-based auth is used; otherwise DefaultAzureCredential is used.

Insert or replace an item in a Cosmos DB container.

The item must include an 'id' field. If an item with the same id and partition key already exists it will be replaced; otherwise a new item is created. Returns the stored item document (including system fields) as JSON.

key_env_var: name of the environment variable holding the Cosmos DB account key. If the variable is set, key-based auth is used; otherwise DefaultAzureCredential is used.

Delete an item from a Cosmos DB container.

THIS IS DESTRUCTIVE — the item cannot be recovered after deletion. Both item_id and partition_key are required.

key_env_var: name of the environment variable holding the Cosmos DB account key. If the variable is set, key-based auth is used; otherwise DefaultAzureCredential is used.

List all Azure Service Bus namespaces in the current subscription.

The subscription is resolved automatically — first from the AZURE_SUBSCRIPTION_ID environment variable, then from the active 'az login' session. If neither is available, an error is returned with instructions.

List all queues in an Azure Service Bus namespace.

Returns a sorted JSON array of queue names. The namespace can be given as a short name (e.g. shdapps-dev1-eus2-sbn) or as a fully qualified hostname — the .servicebus.windows.net suffix will be appended automatically if missing.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

List all topics in an Azure Service Bus namespace.

Returns a sorted JSON array of topic names. If include_subscriptions is true, returns a JSON object mapping each topic name to a sorted array of its subscription names. The namespace can be given as a short name or fully qualified hostname.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Send a single message to an Azure Service Bus queue or topic.

The namespace can be given as a short name or fully qualified hostname.

scheduled_enqueue_time accepts an ISO 8601 string (e.g. '2026-03-05T10:00:00Z'). If provided, the message will be enqueued at that time rather than immediately.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Send multiple messages to an Azure Service Bus queue or topic in a single batch.

Each message in the 'messages' array should have:

• body (string, required): the message content

• session_id (string, optional)

• correlation_id (string, optional)

• application_properties (object, optional): key/value map of custom properties

• scheduled_enqueue_time (string, optional): ISO 8601 time to enqueue the message

The entire batch is delivered in a single send operation. Useful for seeding test data.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Non-destructively peek at messages in an Azure Service Bus queue.

Messages are not locked or consumed — this is a read-only operation. Returns message bodies and metadata (sequence number, enqueue time, properties). max_count is capped at 100. For session-enabled queues, provide a session_id to peek a specific session. If session_id is omitted on a session-enabled queue, the next available session is accepted, peeked, and immediately released. Use servicebus_peek_messages_to_file instead if message bodies may be large.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Non-destructively peek at messages in an Azure Service Bus queue, saving bodies to a file.

Message bodies are written to output_file as JSON (keyed by sequence number). Only metadata (sequence number, enqueue time, properties) is returned in context — use this variant when message bodies may be large to avoid filling the context window.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Non-destructively peek at messages in the dead letter queue for an Azure Service Bus queue.

Messages are not locked or consumed — this is a read-only operation. Returns message bodies, dead letter reason, error description, and other metadata. max_count is capped at 100. Use servicebus_peek_dlq_to_file instead if message bodies may be large.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Non-destructively peek at messages in the dead letter queue for an Azure Service Bus queue, saving bodies to a file.

Message bodies are written to output_file as JSON (keyed by sequence number). Only metadata (dead letter reason, error description, sequence number, enqueue time) is returned in context.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Delete all messages from the dead letter queue for an Azure Service Bus queue.

THIS IS DESTRUCTIVE — messages cannot be recovered after purging. Stops and leaves remaining messages untouched if the running total exceeds max_messages.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Move messages from a queue's dead letter queue back to the main queue.

Each message is re-sent to the main queue preserving body, session_id, correlation_id, and application_properties, then completed (removed) from the dead letter queue. Stops if the running total would exceed max_messages.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Delete all messages from an Azure Service Bus queue.

THIS IS DESTRUCTIVE — messages cannot be recovered after purging. Stops and leaves remaining messages untouched if the running total exceeds max_messages.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Non-destructively peek at messages in an Azure Service Bus topic subscription.

Messages are not locked or consumed — this is a read-only operation. Returns message bodies and metadata (sequence number, enqueue time, properties). max_count is capped at 100. Use servicebus_peek_subscription_messages_to_file instead if message bodies may be large.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Non-destructively peek at messages in an Azure Service Bus topic subscription, saving bodies to a file.

Message bodies are written to output_file as JSON (keyed by sequence number). Only metadata (sequence number, enqueue time, properties) is returned in context.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Non-destructively peek at messages in the dead letter queue for a topic subscription.

Messages are not locked or consumed — this is a read-only operation. Returns message bodies, dead letter reason, error description, and other metadata. max_count is capped at 100. Use servicebus_peek_subscription_dlq_to_file instead if message bodies may be large.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Non-destructively peek at messages in the dead letter queue for a topic subscription, saving bodies to a file.

Message bodies are written to output_file as JSON (keyed by sequence number). Only metadata (dead letter reason, error description, sequence number, enqueue time) is returned in context.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Delete all messages from an Azure Service Bus topic subscription.

THIS IS DESTRUCTIVE — messages cannot be recovered after purging. Stops and leaves remaining messages untouched if the running total exceeds max_messages.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Delete all messages from the dead letter queue for a topic subscription.

THIS IS DESTRUCTIVE — messages cannot be recovered after purging. Stops and leaves remaining messages untouched if the running total exceeds max_messages.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

Move messages from a topic subscription's dead letter queue back to the topic.

Each message is re-sent to the topic preserving body, session_id, correlation_id, and application_properties, then completed (removed) from the dead letter queue. Stops if the running total would exceed max_messages.

connection_string_env_var: name of the environment variable holding the Service Bus connection string. If the variable is set, connection-string auth is used; otherwise DefaultAzureCredential is used.

List all Azure PIM roles you are eligible to activate, across all accessible subscriptions.

Returns role name, scope, eligibility status, and whether the eligibility is permanent or time-limited. Use this to discover what roles are available before calling authorization_activate_role.

Activate an eligible Azure PIM role assignment.

role: the role name exactly as returned by authorization_list_eligible_roles (e.g. 'Contributor') scope: the scope to activate on, exactly as returned by authorization_list_eligible_roles justification: reason for activation (required by Azure PIM) duration: optional ISO 8601 duration string (e.g. 'PT4H', 'PT30M'). Defaults to the maximum duration allowed by the role's policy. Capped at the policy maximum if exceeded.

Returns the activation status and request ID. Status 'Provisioned' means immediately active. Status 'PendingApproval' or 'PendingApprovalProvisioning' means an approver must act first.