[Webinar recording] Getting started with Azure Resource Graph

Published on October 22, 2019

In his October 2019 webinar The easiest, most efficient way to manage Azure subscriptions at scale, solutions architect and Microsoft MVP Stephane Lapointe (@s_lapointe) goes over the basics of Azure Resource Graph and shows you how to leverage it to streamline your subscription management and governance duties.

Watch the recording 🎬

Get the slides at SlideShare

Webinar recap

Managing Azure at scale: the old way

The previous method for querying subscriptions used Azure Resource Manager. With this method, you need to go through each subscription one at a time, so it's a time-consuming, iterative process. If you have hundreds or thousands of subscriptions, this can quickly become a full-time job.

Get subscription list, change context, query, rinse and repeat. It's a painful process.

Stephane Lapointe on querying subscriptions before ARG

Say hello to Azure Resource Graph

Azure Resource Graph was designed to to extend Azure Resource Manager capabilities.

Azure Resource Graph enables efficient, high-performance resource exploration by giving you the ability to query at scale across a set of subscriptions. It gives you unprecedented visibility over your resources, regardless of which subscription they belong to. You can also use it extensively in conjunction with Azure Policy.

What is Azure Resource Graph, and what's it for?

Azure Resource Graph is based on Azure Data Explorer. It gives you better visibility across your cloud resources and enables powerful querying to gain deeper insights on your environment, as well as:

  • Rich aggregation and parsing of granular properties
  • Tracking changes made to resource properties
  • Support for Azure Delegated Resource Management (Azure Lighthouse), which is great for CSPs and others managing multiple tenants
  • Assess the impact of policies

It's blazing fast.

Stephane Lapointe on querying with Azure Resource Graph

Azure Resource Graph query syntax and basics

The query language you'll use with Azure Resource Graph is based on Kusto query language, which is also used by Azure Data Explorer.

Nice to know

  • Queries are read-only and have a refresh frequency of around 15 seconds
  • Not all resource types are supported in Azure Resource Graph queries
  • You'll likely need to implement a paging mechanism if you have more than 1000 subscriptions (the current Resource graph limit) or a very large result set

String operators overview

Full list of string operators in the official documentation.

OperatorDescriptionCase-sensitive?Example (yields true)
==EqualsYes"aBc" == "aBc"
!=Not equalsYes"abc" != "ABC"
=~EqualsNo"abc" =~ "ABC"
!~Not equalsNo"aBc" !~ "xyz"
containsRHS occurs as a subsequence of LHSNo"FabriKam" contains "BRik"
matches regexLHS contains a match for RHSYes"Fabrikam" matches regex "b.*k"

Tabular operators

Where

Filters to the subset of rows that satisfies a predicate. More about the where operator.

Project

Select the new columns to include, rename, or drop, and insert newly computed columns. More about the project operator.

An example project operator in an Azure Resource Graph query

Extend

Create calculated columns and append them to the result set. More about the extend operator.

An example extend operator in an Azure Resource Graph query

Summarize

Produces a table aggregating the content of the input table. More about the summarize operator.

An example summarize operator in an Azure Resource Graph query

Querying over tags

Use tags.name or tags['name'] to query tags on resources.

An example tag query in Azure Resource Graph

Fresh off the presses: Azure Resource Graph tables

Microsoft released tables for Resource Graph just last week. Read more in the official documentation.

Here are the four main tables you can work with:

  • Resources. This is the default table if none defined in the query. Most Resource Manager resource types and properties are here.
  • ResourceContainers. Includes subscription and resource group resource types and data.
  • AlertsManagementResources. Includes resources related to Microsoft.AlertsManagement.
  • SecurityResources. Includes resources related to Microsoft.Security.

Azure Resource Graph outside the portal

You can use PowerShell and Azure CLI to perform Azure Resource Graph queries.

How to use Azure Resource Graph in PowerShell

  1. Install Az modules
  2. Install Az.ResourceGraph module
  3. Use Search-AzGraph cmdlet

Full instructions for using Azure Resource Graph with PowerShell

How to use Azure Resource Graph in Azure CLI

  1. Install Azure CLI
  2. Install the resource-graph extension
  3. Use the az graph query

Full instructions for using Azure Resource Graph with Azure CLI

Azure Resource Graph and Azure Policy

One of the best things about Resource Graph is the fact that you can easily turn Azure Resource Graph queries into policy rules. Check out the ConvertToPolicy utility on GitHub to easily convert queries into policy rules.

You can also test the impact of an Azure Policy thanks to Azure Resource Graph (more on that in an upcoming post!).

Azure Resource Graph Q&A with Stephane Lapointe

If you still have questions, feel free to leave them in the comments!

Q. Is Resource Graph only useful for a large number of subscriptions? How can it be used on a smaller number of subscriptions?
A. Even if you only have one subscription, Azure Resource Graph can definitely be of use and save you time. If you need to go deep inside your resources' properties, you'll need to do it programatically anyway - either with PowerShell, CLI, or the more limited Portal. With Resource Graph, however, one of the great things is that you can export your results as a CSV in a snap without having to script anything.

Q. What are some other applications for Azure Resource Graph? Can you use it to query the price of resources?
A. No, you cannot use Azure Resource Graph to query the price of resources. Some concrete applications off the top of my head include identifying expired certificates and automating a ton of preventative actions. It also helps visualize the impact of an Azure Policy. Any time you need visibility over your resources, Azure Resource Graph is the way to go. You can also query for changes on a resource (i.e. you have a deployment and your website settings change - practical for troubleshooting in production).

A. Is it possible to restrict users or roles for resource creation via Azure Resource Graph?
Q. This is usually controlled by RBAC (role-based access control).

Q. What are the top limitations of Azure Resource Graph?
A. Azure Resource Graph has come a long way in the year and a half I've been using it. However, some resources aren't yet supported: you can't currently query against containers or SQL server firewall rules, for instance, as they're sub-resources.

Q. Is there an online repository for code snippets?
A. There are several great scripts on Microsoft's Script Center (like this one I wrote, which lists outbound IP addresses for App Service web apps), but they aren't entirely Resource Graph related. Have a look around!


Optimize your Azure environment for big savings

Looking for ways to save money on Azure? The Ultimate Azure cost optimization checklist for cloud teams will help you thoroughly audit your environment for sources of wasted spend.

You might also like