diff --git a/package-lock.json b/package-lock.json
index 1796e82..1163da4 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "azure-acme-provisioner",
-  "version": "0.4.4",
+  "version": "0.4.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "azure-acme-provisioner",
-      "version": "0.4.4",
+      "version": "0.4.5",
       "license": "MIT",
       "dependencies": {
         "@azure/arm-authorization": "^9.0.0",
diff --git a/package.json b/package.json
index f77cfd0..2b32f3e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "azure-acme-provisioner",
-  "version": "0.4.4",
+  "version": "0.4.5",
   "author": {
     "name": "Sławomir Koszewski",
     "url": "https://github.com/skoszewski"
diff --git a/src/cli.ts b/src/cli.ts
index 233144a..272ccf1 100644
--- a/src/cli.ts
+++ b/src/cli.ts
@@ -58,6 +58,7 @@ sharedOptions(
   program
     .command('run', { isDefault: true })
     .description('Scan DNS zones and issue or renew certificates')
+    .usage('(--keyvault-name <name> | --keyvault-url <url>) --subscription-id <id> --resource-group <rg> --email <email> [options]')
     .option('--http <port>', 'Use HTTP-01 challenge on the given port instead of DNS-01')
     .option('--dry-run', 'Show what would be done without making changes')
 ).action(async (options: Record<string, unknown>) => {
@@ -72,6 +73,7 @@ sharedOptions(
   program
     .command('scan')
     .description('List all domains tagged for ACME management')
+    .usage('--subscription-id <id> --resource-group <rg> [options]')
     .option('--output <format>', 'Output format: table|json', 'table')
 ).action(async (options: Record<string, unknown>) => {
   applyOverrides(options);
@@ -94,6 +96,7 @@ sharedOptions(
   program
     .command('status')
     .description('Show certificate expiry status for all managed domains')
+    .usage('(--keyvault-name <name> | --keyvault-url <url>) --subscription-id <id> --resource-group <rg> [options]')
     .option('--output <format>', 'Output format: table|json', 'table')
 ).action(async (options: Record<string, unknown>) => {
   applyOverrides(options);
@@ -119,6 +122,7 @@ sharedOptions(
   program
     .command('renew <domain>')
     .description('Force-renew a certificate for a specific domain, bypassing the renewal threshold')
+    .usage('<domain> (--keyvault-name <name> | --keyvault-url <url>) --subscription-id <id> --resource-group <rg> --email <email> [options]')
     .option('--http <port>', 'Use HTTP-01 challenge on the given port instead of DNS-01')
 ).action(async (domain: string, options: Record<string, unknown>) => {
   applyOverrides(options);
@@ -136,6 +140,7 @@ sharedOptions(
   program
     .command('assign-role <fqdn>')
     .description('Assign Key Vault Certificate User and Secrets User roles to a principal for a domain certificate')
+    .usage('<fqdn> --principal-id <id> --principal-type <type> --keyvault-resource-group <rg> (--keyvault-name <name> | --keyvault-url <url>) --subscription-id <id> [options]')
     .requiredOption('--principal-id <id>', 'Azure principal ID to assign roles to')
     .requiredOption('--principal-type <type>', 'Principal type: User | Group | ServicePrincipal (use ServicePrincipal for managed identities)')
     .option('--dry-run', 'Show what would be assigned without making changes')
@@ -177,6 +182,7 @@ sharedOptions(
   program
     .command('download <domain>')
     .description('Download the PEM bundle (private key + certificate + chain) for a domain')
+    .usage('<domain> (--keyvault-name <name> | --keyvault-url <url>) [options]')
     .option('--output <file>', 'Write to file instead of stdout')
 ).action(async (domain: string, options: Record<string, unknown>) => {
   applyOverrides(options);