Skip to main content

Azure Skills Plugin Review — How Microsoft's AI Coding Add-On Holds Up Inside Visual Studio

By Jim Liu14 min read

Azure Skills Plugin review after three weeks of real coding inside Visual Studio 2022 and VS Code. Pricing, setup, three honest test scenarios, plus where it loses to Cursor, Claude Code, and Copilot.

Azure Skills Plugin Review — How Microsoft's AI Coding Add-On Holds Up Inside Visual Studio

Date: May 27, 2026 Read Time: 12 min read Author: Jim Liu, OpenAI Tools Hub Category: AI Tool Review

I have been running the Azure Skills Plugin on two daily-driver machines for three weeks — one .NET 9 monorepo with about 180K lines, and a smaller Python service that pulls from Azure DevOps. The pitch from Microsoft is that this plugin glues the Azure ecosystem (Repos, Pipelines, Key Vault, App Service) into Copilot Chat so you can ask things like "rotate the staging secret and bump the deploy tag" without leaving the editor. That is a very Microsoft pitch. Whether it actually delivers depends on which IDE you live in and how deep your Azure footprint goes.

This is a one-tool deep review, not a leaderboard. If you are choosing between three or four assistants, my Augment Code review, Cursor vs Windsurf comparison, and Tabnine vs GitHub Copilot piece are better starting points.

Key Takeaways

  • Price band: Azure Skills Plugin itself is free on Visual Studio Marketplace, but it requires GitHub Copilot Business ($19/user/mo) or Enterprise ($39/user/mo) plus an Azure subscription. Effective floor cost for a 10-dev team is around $190/mo before Azure compute.
  • What it actually does: Adds Azure-aware tools to Copilot Chat — query Azure Resource Graph, scaffold Bicep, propose ARM template diffs, run az commands through a guarded shell, surface secret rotation suggestions tied to Key Vault.
  • Setup time: About 35 minutes if you have an existing Azure tenant. Closer to 2 hours if you have to set up Workload Identity Federation from scratch.
  • Biggest win: Cross-cutting changes like "find every App Service that still uses TLS 1.0 and write the Bicep to fix them" took 4 minutes instead of the 40 minutes I usually budget.
  • Biggest miss: The chat agent still hallucinates Az CLI flag names from older API versions about once every 8-10 prompts.
  • Verdict: A genuine productivity multiplier if your shop already lives in Azure DevOps. A waste of money if you are mostly on GitHub Actions or AWS.

How I Tested

I want to be specific because "I tried it" reviews are usually meaningless.

Hardware: 2 machines — Surface Laptop Studio 2 (i7-13800H, 32GB) running Windows 11 Pro and Visual Studio 2022 17.12, plus a MacBook Pro M3 (24GB) running VS Code Insiders. The plugin officially supports both, and behavior diverged in interesting ways.

Repos:

  1. Production .NET 9 monorepo — 4 services, 180K lines of C#, deployed to 3 Azure App Service slots, secrets in Key Vault, Pipelines on Azure DevOps.
  2. Internal Python FastAPI service — 22K lines, deployed to Container Apps via GitHub Actions, no DevOps integration.
  3. Greenfield Bicep project I started from scratch for an internal billing dashboard, to test cold-start workflows.

Duration: May 5 to May 26, 2026. Roughly 45 hours of active pair-programming with the plugin, logged via Wakatime.

What I measured: Time-to-first-useful-suggestion per task, hallucination rate (I kept a tally in a Notion doc), Azure CLI commands that needed manual correction, and qualitative friction. I am not pretending this is a randomized trial. It is a working developer's notebook.

I deliberately did not test it against junior-developer onboarding scenarios because I do not have a junior on the team right now. If that is your use case, weight my conclusions lightly.

What Azure Skills Plugin Actually Does

The plugin is technically a set of "skills" that extend GitHub Copilot Chat (the Microsoft-branded chat sidebar). Once enabled, you get new slash commands and the chat agent becomes Azure-aware.

The skills I exercised in practice:

  • /azure resources — queries Azure Resource Graph through your signed-in identity. Returns a structured list rather than dumping JSON into chat.
  • /azure bicep — scaffolds a Bicep file from a natural-language description, then validates it with bicep build automatically.
  • /azure rotate-secret — proposes a Key Vault rotation, generates the rotation script, and waits for explicit approval before running.
  • /azure deploy — wraps az webapp up or az containerapp up with the right parameters pulled from your project context.
  • /azure incident — pulls the last N alerts from Azure Monitor for a resource and asks the LLM to summarize.

There is also a "DevOps work item" integration that lets Copilot read and create work items in Azure Boards directly from chat. That one feels half-finished — see the honest downsides section below.

Under the hood, the plugin uses the same model routing as Copilot Business: GPT-5.2 for code generation in most contexts, Claude Sonnet 4.5 for longer-form reasoning when you opt in via settings. The Azure-specific tools are deterministic wrappers around az and bicep CLIs, so they cannot hallucinate the result of a command — but they can absolutely hallucinate which command to run, which is its own problem.

Setup — The Honest Version

Microsoft's setup doc says "10 minutes." That is true if you already have Workload Identity Federation configured between your IDE and Azure. If you do not, here is the actual sequence I went through on a fresh Surface:

  1. Install the plugin from Visual Studio Marketplace — 1 minute.
  2. Sign in with the same identity as your Copilot Business subscription — 2 minutes (popup got stuck once, had to restart Visual Studio).
  3. Configure Workload Identity Federation against your Azure tenant — this took 28 minutes because the documented PowerShell snippet referenced an az ad app federated-credential flag that has moved.
  4. Grant the plugin's app registration Reader on the subscription, Key Vault Secrets Officer on the vaults you want rotation for, and Contributor on any resource group you want to deploy to.
  5. Open Copilot Chat and run /azure check-permissions to confirm. Mine showed a green checkmark on the first machine and a confusing "scope mismatch" warning on the MacBook that turned out to be a stale token — az logout && az login fixed it.

Total wall-clock on machine one: 35 minutes. Machine two: 18 minutes once I knew the gotchas. If your org enforces conditional access policies, expect another 30-45 minutes of negotiating with whoever owns Entra ID.

I am noting this because the Visual Studio Marketplace page makes it look push-button. It is not.

Test Scenario 1 — Rotate Production Secret Without Breaking Slots

Task: Rotate the database connection string in Key Vault for our staging slot, redeploy the affected App Service, and verify the slot swap.

Old workflow (without plugin): Open Azure portal, navigate to Key Vault, manually rotate, copy new reference, open Pipelines, trigger the deploy, switch tabs to Application Insights to watch for errors. Usually 18-22 minutes including the "did I copy the right URI" anxiety pause.

With Azure Skills Plugin: I typed /azure rotate-secret kv-prod-001 dbconn-staging --then redeploy staging-slot. The plugin produced a 3-step plan (rotate → wait for App Service refresh → swap), showed me the exact az commands, and waited for me to type approve. Total time: 6 minutes 30 seconds, including the approval pause.

Outcome: Worked. The plugin caught one thing I would have missed — it reminded me that the Function App in the same resource group also references that secret and asked if I wanted to bounce it too. That is the kind of cross-cutting context that justifies the price tag.

Caveat: It tried to rotate the production secret on its first pass when I said "staging slot" because my Bicep names the resource kv-prod-001 (singular vault for both environments). I caught it before approving. Read the plan before you type approve — every time.

Test Scenario 2 — Bicep From Scratch For An Internal Tool

Task: Spin up a new internal billing dashboard — Static Web App, Container App for the API, Cosmos DB (serverless tier), Key Vault, Application Insights, all wired up with managed identities.

Old workflow: Crib from a previous Bicep file, find-and-replace names, hope I remembered to update the network rules. Usually 2-3 hours including the inevitable "why is the managed identity getting 403" debugging.

With Azure Skills Plugin: I described the resources in chat and asked it to generate the Bicep using our internal naming convention (which I had pasted into a .azureskills.md file at the repo root — the plugin reads this as project context). It produced 187 lines of Bicep across three modules, validated them, and identified two issues I had not asked about: the Container App was missing the system managed identity assignment for Cosmos, and the App Insights resource was using the deprecated microsoft.insights/components API version.

Outcome: Total time to deployable Bicep: 24 minutes, including my reviewing every block. About 4x faster than my old workflow, and with two real bugs caught before deploy.

Caveat: The Cosmos DB partition key it picked (/id) was technically correct but a terrible choice for our query patterns. The plugin does not know your read/write ratios. Always sanity-check the schema decisions, never the syntax decisions.

Test Scenario 3 — Cross-Repo Audit For TLS 1.0

Task: Internal security ask — "find every App Service across our subscription that still allows TLS 1.0 and produce a Bicep PR that bumps them to 1.2 minimum."

Old workflow: Honestly, I would have written a PowerShell script. Maybe 40-60 minutes if it was a clean day.

With Azure Skills Plugin: /azure audit tls-minimum --remediate. The plugin queried Resource Graph, returned 14 App Services with the issue, generated a single Bicep parameter file that updated all of them, and opened a draft pull request on Azure DevOps with the diff and a summary comment. End-to-end: 4 minutes 12 seconds.

Outcome: This is the one that converted me. Cross-cutting policy enforcement is exactly the workflow Copilot's general code completion does not help with, and where the Azure Skills Plugin earns its keep.

Caveat: Three of the 14 App Services were intentionally on 1.0 for a legacy partner integration. The plugin had no way to know that and would have happily broken production. The PR review still matters.

Honest Downsides

I am not going to pretend this was all wins. Three real limitations I hit:

1. Hallucination rate on Az CLI flags is still around 12%. Specifically on newer-ish commands like az containerapp env workload-profile, the plugin would invent flags that look plausible (--profile-name instead of --workload-profile-name). I caught most of them because the wrapped shell shows the command before running, but if you blind-approve you will hit failures.

2. The DevOps work item integration is half-baked. Reading work items works fine. Creating them produces oddly formatted titles ("[Bug] Fix the the issue with..." — yes, doubled words) and almost always assigns to the wrong area path. Microsoft has acknowledged this in their public roadmap; expect a fix in the 1.4 release.

3. Macbook / VS Code parity is incomplete. The /azure deploy skill on VS Code does not respect VS Code's terminal preference and always spawns a new pwsh window, which on macOS opens an Apple Terminal that may not have your shell config. Minor but annoying. Visual Studio on Windows is the first-class experience; everything else is downstream.

There is also a quieter issue I should mention: the plugin sends your project context (file paths, Bicep contents, recent diffs) to Microsoft's endpoints for the LLM call. This is the same data-handling story as Copilot Business itself, but if your org has not signed off on Copilot Business, this plugin does not change that calculus.

Third-Party Validation

Because three weeks of one developer's notebook is a small sample, I checked what others are saying:

  • Visual Studio Marketplace: 4.3/5 with 287 ratings as of this writing.
  • G2: Not yet listed as a standalone product — Microsoft has it bundled under GitHub Copilot's listing.
  • Reddit r/AZURE: Mixed-to-positive. Top complaint mirrors mine — hallucinated CLI flags. Top praise is the Resource Graph integration.
  • Hacker News thread (March 2026): 142 comments, mostly skeptical about the lock-in implications but acknowledging the productivity numbers.

If you want a contrarian read, the Tabnine vs GitHub Copilot comparison covers why some teams deliberately avoid Microsoft-stack AI tools for IP-control reasons. That is a legitimate concern that this plugin does not address.

Azure Skills Plugin vs The Alternatives

Quick rundown of how it slots against the four other tools I actively use.

Tool Best At Where Azure Skills Plugin Wins Where The Other Tool Wins
GitHub Copilot (base) Code completion, inline suggestions Azure resource operations, infra-as-code Pure code generation in any language
Cursor Multi-file agentic edits with model choice Production Azure operations (Cursor has no equivalent) Anything not Azure-shaped, model flexibility
Claude Code Long-context refactoring, planning Real Azure infrastructure operations Cross-language refactoring depth, agent reasoning
Augment Code Massive monorepo context Azure-specific tasks at any repo size Whole-repo semantic understanding
Windsurf Cascade agent for file orchestration Resource Graph queries and deploy operations Faster iteration on greenfield apps

The honest summary: Azure Skills Plugin is the only one of these that talks to Azure as a first-class citizen. Every other tool treats Azure as "files on disk that happen to be .bicep." If your day-to-day involves real Azure operations, that gap matters. If it does not, you are paying for capability you will never use.

For a head-to-head on the two most popular agentic editors right now, the Claude Code vs Cursor breakdown goes deeper than I can here.

Who Should Buy This (And Who Should Skip)

Buy if:

  • You deploy to Azure App Service, Container Apps, or Functions at least weekly.
  • Your team is already on Copilot Business or Enterprise — the marginal cost is zero.
  • You spend meaningful time on Azure Boards, Pipelines, or Key Vault.
  • Cross-cutting policy enforcement is a recurring task.

Skip if:

  • Your primary cloud is AWS or GCP. The Azure-shaped skills will not help, and there is no equivalent to "Resource Graph for AWS" in this plugin.
  • You are still on Copilot Individual ($10/mo). Upgrading to Business just to unlock this plugin is hard to justify unless the above use cases ring true.
  • You are evaluating AI coding tools from scratch — start with Copilot or Cursor and add this later if Azure ops are a real bottleneck.

Verdict

The Azure Skills Plugin solves a narrow problem unusually well. For the 30% of my weekly work that actually touches Azure operations — rotating secrets, scaffolding new infrastructure, auditing resources, opening cross-cutting PRs — it cut my time by 60-70% and caught real bugs I would have missed. For the other 70% of my work, it does nothing.

That is fine. Specialists win when they actually specialize. The mistake would be expecting this to replace your general coding assistant. It does not. It sits alongside one. If you can frame it that way — and your shop is Azure-heavy enough to justify the Copilot Business floor cost — it is a clear win.

I am keeping it installed on both machines. That is the most honest endorsement I can give a tool I have used for three weeks.

Frequently Asked Questions

Q: Does Azure Skills Plugin work without Copilot Business?

No. The plugin requires either Copilot Business ($19/user/mo) or Copilot Enterprise ($39/user/mo) — the Individual tier ($10/mo) cannot enable it. Microsoft has not announced plans to change this.

Q: Can it run Az CLI commands without my approval?

No, by design. Every command the plugin proposes shows in chat with the full argument list and waits for an explicit "approve" or similar confirmation before executing. You can configure auto-approve for read-only commands like az resource list but write operations always require approval.

Q: Does it work with Azure Government or sovereign clouds?

Partial support. Azure Government works as of the 1.3 release, but Resource Graph queries against sovereign clouds (Germany, China) currently return empty results. Microsoft's roadmap shows full sovereign cloud support in the 1.5 release.

Q: What data does the plugin send to Microsoft?

The same data Copilot Business sends — file context, prompts, and the project context file (.azureskills.md if present). It does not send your actual Azure secret values; secret operations are described by reference (vault name + secret name), and the plugin uses your local Azure identity to perform the operation locally.

Q: How does it compare to using the Az CLI directly with a general AI assistant?

The deterministic wrappers around az and bicep are the differentiator. A general AI assistant might write the right command but you have to copy it, run it, and interpret errors. The plugin runs the command in a guarded environment and feeds errors back into the chat loop. For repetitive operations, that loop closure is worth the cost.

Weekly AI dev-tools email

Hands-on AI tool picks for builders. Free, no spam.

Explore More:
ChatGPT Plus vs Claude ProGPT Image vs DALL·EKilo Code ReviewHolo3 ReviewAnthropic Founders PlaybookGoose AI Agent ReviewOpenAI Codex SecurityAI Coding Tools 2026

AI Product Research

In-depth SaaS teardowns · Copyable Scores

Read free sample →Browse all reports →
Free SEO Tools:
Schema GeneratorMeta AnalyzerRobots.txt TesterLLMs.txt GeneratorHreflang GeneratorOG Preview

Written by Jim Liu

Full-stack developer in Sydney. Hands-on AI tool reviews since 2022. Affiliate disclosure

Sponsored

Ad served by Adsterra. OpenAIToolsHub is not responsible for advertiser content.