Published on October 22, 2019
In his October 2019 webinar The easiest, most efficient way to manage Azure subscriptions at scale, solutions architect and Microsoft MVP Stephane Lapointe (@s_lapointe) goes over the basics of Azure Resource Graph and shows you how to leverage it to streamline your subscription management and governance duties.
Watch the recording 🎬
Webinar recap
- Managing Azure at scale: the old way
- Say hello to Azure Resource Graph
- Query syntax and basics
- Azure Resource Graph outside the portal
- Azure Resource Graph and Azure Policy
- Azure Resource Graph Q&A
Managing Azure at scale: the old way
The previous method for querying subscriptions used Azure Resource Manager. With this method, you need to go through each subscription one at a time, so it's a time-consuming, iterative process. If you have hundreds or thousands of subscriptions, this can quickly become a full-time job.
Get subscription list, change context, query, rinse and repeat. It's a painful process.
Stephane Lapointe on querying subscriptions before ARG
Say hello to Azure Resource Graph
Azure Resource Graph was designed to to extend Azure Resource Manager capabilities.
Azure Resource Graph enables efficient, high-performance resource exploration by giving you the ability to query at scale across a set of subscriptions. It gives you unprecedented visibility over your resources, regardless of which subscription they belong to. You can also use it extensively in conjunction with Azure Policy.
What is Azure Resource Graph, and what's it for?
Azure Resource Graph is based on Azure Data Explorer. It gives you better visibility across your cloud resources and enables powerful querying to gain deeper insights on your environment, as well as:
- Rich aggregation and parsing of granular properties
- Tracking changes made to resource properties
- Support for Azure Delegated Resource Management (Azure Lighthouse), which is great for CSPs and others managing multiple tenants
- Assess the impact of policies
It's blazing fast.
Stephane Lapointe on querying with Azure Resource Graph
Azure Resource Graph query syntax and basics
The query language you'll use with Azure Resource Graph is based on Kusto query language, which is also used by Azure Data Explorer.
Nice to know
- Queries are read-only and have a refresh frequency of around 15 seconds
- Not all resource types are supported in Azure Resource Graph queries
- You'll likely need to implement a paging mechanism if you have more than 1000 subscriptions (the current Resource graph limit) or a very large result set
String operators overview
Full list of string operators in the official documentation.
| Operator | Description | Case-sensitive? | Example (yields true) |
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
contains | RHS occurs as a subsequence of LHS | No | "FabriKam" contains "BRik" |
matches regex | LHS contains a match for RHS | Yes | "Fabrikam" matches regex "b.*k" |
Tabular operators
Where
Filters to the subset of rows that satisfies a predicate. More about the where operator.
Project
Select the new columns to include, rename, or drop, and insert newly computed columns. More about the project operator.
Extend
Create calculated columns and append them to the result set. More about the extend operator.
Summarize
Produces a table aggregating the content of the input table. More about the summarize operator.
Querying over tags
Use tags.name or tags['name'] to query tags on resources.
Fresh off the presses: Azure Resource Graph tables
Microsoft released tables for Resource Graph just last week. Read more in the official documentation.
Here are the four main tables you can work with:
- Resources. This is the default table if none defined in the query. Most Resource Manager resource types and properties are here.
- ResourceContainers. Includes subscription and resource group resource types and data.
- AlertsManagementResources. Includes resources related to
Microsoft.AlertsManagement. - SecurityResources. Includes resources related to
Microsoft.Security.
Azure Resource Graph outside the portal
You can use PowerShell and Azure CLI to perform Azure Resource Graph queries.
How to use Azure Resource Graph in PowerShell
- Install Az modules
- Install Az.ResourceGraph module
- Use Search-AzGraph cmdlet
Full instructions for using Azure Resource Graph with PowerShell
How to use Azure Resource Graph in Azure CLI
- Install Azure CLI
- Install the resource-graph extension
- Use the az graph query
Full instructions for using Azure Resource Graph with Azure CLI
Azure Resource Graph and Azure Policy
One of the best things about Resource Graph is the fact that you can easily turn Azure Resource Graph queries into policy rules. Check out the ConvertToPolicy utility on GitHub to easily convert queries into policy rules.
You can also test the impact of an Azure Policy thanks to Azure Resource Graph (more on that in an upcoming post!).
Azure Resource Graph Q&A with Stephane Lapointe
If you still have questions, feel free to leave them in the comments!
Q. Is Resource Graph only useful for a large number of subscriptions? How can it be used on a smaller number of subscriptions?
A. Even if you only have one subscription, Azure Resource Graph can definitely be of use and save you time. If you need to go deep inside your resources' properties, you'll need to do it programatically anyway - either with PowerShell, CLI, or the more limited Portal. With Resource Graph, however, one of the great things is that you can export your results as a CSV in a snap without having to script anything.
Q. What are some other applications for Azure Resource Graph? Can you use it to query the price of resources?
A. No, you cannot use Azure Resource Graph to query the price of resources. Some concrete applications off the top of my head include identifying expired certificates and automating a ton of preventative actions. It also helps visualize the impact of an Azure Policy. Any time you need visibility over your resources, Azure Resource Graph is the way to go. You can also query for changes on a resource (i.e. you have a deployment and your website settings change - practical for troubleshooting in production).
A. Is it possible to restrict users or roles for resource creation via Azure Resource Graph?
Q. This is usually controlled by RBAC (role-based access control).
Q. What are the top limitations of Azure Resource Graph?
A. Azure Resource Graph has come a long way in the year and a half I've been using it. However, some resources aren't yet supported: you can't currently query against containers or SQL server firewall rules, for instance, as they're sub-resources.
Q. Is there an online repository for code snippets?
A. There are several great scripts on Microsoft's Script Center (like this one I wrote, which lists outbound IP addresses for App Service web apps), but they aren't entirely Resource Graph related. Have a look around!
Optimize your Azure environment for big savings
Looking for ways to save money on Azure? The Ultimate Azure cost optimization checklist for cloud teams will help you thoroughly audit your environment for sources of wasted spend.