Azure Resource Graph
First blog post of 2021.
Towards the end of last year I discovered a gem that is known as Azure Resource Graph, in my day to day role as a cloud consultant for an Azure Expert MSP more often than not I find myself having to run queries across multiple subscriptions which is somewhat of a time consuming activity.
My de facto for the past few months had been to use Azure Powershell and iterate through each subscription, grab the data that I need and export that data.
As one can imagine iterating through subscriptions takes a considerable amount of time especially when you’re dealing with over a hundred Azure subscriptions.
The query language used by Azure Resource Graph is KQL, if you’re familiar with Log Analytics and perhaps Azure Sentinel you’ve probably come across KQL, below is the tl;dr from Microsoft:
A Kusto query is a read-only request to process data and return results. The request is stated in plain text, using a data-flow model designed to make the syntax easy to read, author, and automate. The query uses schema entities that are organized in a hierarchy similar to SQL’s: databases, tables, and columns.
The query consists of a sequence of query statements, delimited by a semicolon (;), with at least one statement being a tabular expression statement which is a statement that produces data arranged in a table-like mesh of columns and rows. The query’s tabular expression statements produce the results of the query.
The syntax of the tabular expression statement has tabular data flow from one tabular query operator to another, starting with data source (e.g. a table in a database, or an operator that produces data) and then flowing through a set of data transformation operators that are bound together through the use of the pipe (|) delimiter.
Azure Resource Graph is used to power the search bar in the Azure portal as well as when you navigate to the All resources view. This service allows for querying at scale and it delivers. It’s lighting quick, very efficient and also supports Azure Lighthouse.
I have been using the Azure Resource Graph for extracting orphaned resources (unattached NICs, unassociated disks and Public IP’s) as well as Advisor recommendations.
One of the limitations of using Azure Advisor is that there is a hard limit of showing recommendations for no more than 60 subscriptions. In order to bypass that one can make use of the Azure Resource Graph.
I have listed 3 ways in which you can run your first query below:
Azure Resource Graph Explorer (Portal Experience)
Azure PowerShell
Azure CLI
An impressive feature of this service is that queries are structured in such a way that they are the same way for each language.
You’ll want to search for Azure Resource Graph Explorer in the main search bar in the Azure Portal.
Once the Azure Resource Graph Explorer is in view you’ll notice tables and resource type reference on the left hand side. Below is a URL of the supported resource types:
Resources
| where type =~ ‘Microsoft.Compute/disks’
| where properties.diskState =~ ‘Unattached’
| project name, resourceGroup, subscriptionId, location, tenantId
From the above query you’ll see we are querying the Resources table for disks whereby the state of disk(s) is Unattached and lastly we can use the Project operator to specify which columns we would like returned.
If you need to export the results, guess what ? There’s a button for that, simply click on Download as CSV.
If you’re up for a challenge you can create an Azure Function that runs that query periodically and sends an email or posts a message in a Teams channel.
Useful Resources :
https://docs.microsoft.com/en-us/azure/governance/resource-graph/
https://docs.microsoft.com/en-us/azure/governance/resource-graph/samples/starter?tabs=azure-cli
https://github.com/archangeladrian/Azure-Resource-Graph
Azure Resource Graph
