

In his October 2019 webinar The easiest, most efficient way to manage Azure subscriptions at scale, solutions architect and Microsoft MVP Stephane Lapointe (@s_lapointe) goes over the basics of Azure Resource Graph and shows you how to leverage it to streamline your subscription management and governance duties.
The previous method for querying subscriptions used Azure Resource Manager. With this method, you need to go through each subscription one at a time, so it’s a time-consuming, iterative process. If you have hundreds or thousands of subscriptions, this can quickly become a full-time job.
Get subscription list, change context, query, rinse and repeat. It’s a painful process.
Stephane Lapointe on querying subscriptions before ARG Tweet this
Azure Resource Graph was designed to to extend Azure Resource Manager capabilities.
Azure Resource Graph enables efficient, high-performance resource exploration by giving you the ability to query at scale across a set of subscriptions. It gives you unprecedented visibility over your resources, regardless of which subscription they belong to. You can also use it extensively in conjunction with Azure Policy.
Azure Resource Graph is based on Azure Data Explorer. It gives you better visibility across your cloud resources and enables powerful querying to gain deeper insights on your environment, as well as:
It’s blazing fast.
Stephane Lapointe on querying with Azure Resource Graph Tweet this
The query language you’ll use with Azure Resource Graph is based on Kusto query language, which is also used by Azure Data Explorer.
Full list of string operators in the official documentation.
Operator | Description | Case-sensitive? | Example (yields true ) |
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
contains | RHS occurs as a subsequence of LHS | No | "FabriKam" contains "BRik" |
matches regex | LHS contains a match for RHS | Yes | "Fabrikam" matches regex "b.*k" |
Filters to the subset of rows that satisfies a predicate. More about the where operator.
Select the new columns to include, rename, or drop, and insert newly computed columns. More about the project operator.
Create calculated columns and append them to the result set. More about the extend operator.
Produces a table aggregating the content of the input table. More about the summarize operator.
Use tags.name
or tags['name']
to query tags on resources.
Microsoft released tables for Resource Graph just last week. Read more in the official documentation.
Here are the four main tables you can work with:
Microsoft.AlertsManagement
.Microsoft.Security
.You can use PowerShell and Azure CLI to perform Azure Resource Graph queries.
Full instructions for using Azure Resource Graph with PowerShell
Full instructions for using Azure Resource Graph with Azure CLI
One of the best things about Resource Graph is the fact that you can easily turn Azure Resource Graph queries into policy rules. Check out the ConvertToPolicy utility on GitHub to easily convert queries into policy rules.
You can also test the impact of an Azure Policy thanks to Azure Resource Graph (more on that in an upcoming post!).
If you still have questions, feel free to leave them in the comments!
Q. Is Resource Graph only useful for a large number of subscriptions? How can it be used on a smaller number of subscriptions?
A. Even if you only have one subscription, Azure Resource Graph can definitely be of use and save you time. If you need to go deep inside your resources’ properties, you’ll need to do it programatically anyway – either with PowerShell, CLI, or the more limited Portal. With Resource Graph, however, one of the great things is that you can export your results as a CSV in a snap without having to script anything.
Q. What are some other applications for Azure Resource Graph? Can you use it to query the price of resources?
A. No, you cannot use Azure Resource Graph to query the price of resources. Some concrete applications off the top of my head include identifying expired certificates and automating a ton of preventative actions. It also helps visualize the impact of an Azure Policy. Any time you need visibility over your resources, Azure Resource Graph is the way to go. You can also query for changes on a resource (i.e. you have a deployment and your website settings change – practical for troubleshooting in production).
A. Is it possible to restrict users or roles for resource creation via Azure Resource Graph?
Q. This is usually controlled by RBAC (role-based access control).
Q. What are the top limitations of Azure Resource Graph?
A. Azure Resource Graph has come a long way in the year and a half I’ve been using it. However, some resources aren’t yet supported: you can’t currently query against containers or SQL server firewall rules, for instance, as they’re sub-resources.
Q. Is there an online repository for code snippets?
A. There are several great scripts on Microsoft’s Script Center (like this one I wrote, which lists outbound IP addresses for App Service web apps), but they aren’t entirely Resource Graph related. Have a look around!
Get full visibility into who’s shared what with whom, and automate external sharing reviews so they’re performed on an ongoing basis.