1# Azure Quick Review Compliance Assessment
2 
3This skill enables comprehensive Azure compliance assessments using Azure Quick Review (azqr), analyzing findings against Azure best practices, and providing actionable remediation guidance.
4 
5## Prerequisites
6 
7- **Azure authentication** - Logged in via Azure CLI (`az login`) or using Service Principal/Managed Identity
8- **Reader permissions** - Minimum Reader role on target subscription or management group
9 
10## Assessment Workflow
11 
12### Step 1: Determine Scan Scope
13 
14Ask the user or detect from context:
15 
16| Scope | Use Case | Required Info |
17|-------|----------|---------------|
18| Subscription | Full subscription assessment | Subscription ID |
19| Resource Group | Targeted assessment | Subscription ID + Resource Group name |
20| Management Group | Enterprise-wide assessment | Management Group ID |
21| Specific Service | Deep-dive on one resource type | Subscription ID + Service abbreviation |
22 
23### Step 2: Run Compliance Scan
24 
25Use the Azure MCP tool to run the scan:
26 
27```
28mcp_azure_mcp_extension_azqr
29  subscription: <subscription-id>
30  resource-group: <optional-rg-name>
31```
32 
33### Step 3: Analyze Scan Results
34 
35The scan produces an Excel file with these sheets:
36 
37| Sheet | Contents | Priority |
38|-------|----------|----------|
39| **Recommendations** | All recommendations with impacted resource count | High |
40| **ImpactedResources** | Resources with specific issues to address | High |
41| **Inventory** | All scanned resources with SKU, Tier, SLA details | Medium |
42| **Advisor** | Azure Advisor recommendations | Medium |
43| **DefenderRecommendations** | Microsoft Defender for Cloud findings | High |
44| **Azure Policy** | Non-compliant resources per Azure Policy | Medium |
45| **Costs** | 3-month cost history by subscription | Low |
46| **Defender** | Defender plan status and tiers | Medium |
47| **OutOfScope** | Resources not scanned | Low |
48 
49**Focus analysis on:**
501. High-severity recommendations from ImpactedResources
512. Defender recommendations (security-critical)
523. Advisor recommendations (reliability/performance)
534. Policy non-compliance (governance)
54 
55### Step 4: Categorize Findings
56 
57Group findings by category for prioritized remediation:
58 
59| Category | Examples | Severity |
60|----------|----------|----------|
61| **Security** | Public endpoints, missing encryption, no private endpoints | Critical |
62| **Reliability** | No zone redundancy, single instance, no backup | High |
63| **Performance** | Undersized SKUs, missing caching, no CDN | Medium |
64| **Cost** | Orphaned resources, oversized SKUs, unused reservations | Medium |
65| **Operations** | Missing diagnostics, no alerts, no tags | Low |
66 
67### Step 5: Generate Remediation Guidance
68 
69For each high-priority finding:
701. Explain the risk in plain language
712. Provide remediation options (Portal, CLI, Bicep)
723. Estimate effort and impact
73 
74See [azqr-remediation-patterns.md](azqr-remediation-patterns.md) for common fix templates.
75 
76### Step 6: Present Summary
77 
78Provide a structured summary:
79 
80```markdown
81## Compliance Assessment Summary
82 
83**Scope:** [Subscription/RG/MG name]
84**Scanned:** [Date/Time]
85**Resources Analyzed:** [Count]
86 
87### Key Findings
88 
89| Severity | Count | Top Issues |
90|----------|-------|------------|
91| Critical | X | [List top 3] |
92| High | X | [List top 3] |
93| Medium | X | [List top 3] |
94 
95### Recommended Actions
96 
971. **[Issue]** - [Brief remediation]
982. **[Issue]** - [Brief remediation]
993. **[Issue]** - [Brief remediation]
100 
101### Next Steps
102- [ ] Address critical security findings
103- [ ] Review and remediate high-severity items
104- [ ] Schedule follow-up scan to verify fixes
105```
106 
107## Supported Azure Services
108 
109azqr supports 70+ Azure resource types including:
110 
111- Azure Kubernetes Service (AKS)
112- API Management
113- App Configuration
114- App Service
115- Container Apps
116- Cosmos DB
117- Container Registry
118- Key Vault
119- Load Balancer
120- Azure Database for MySQL
121- Azure Database for PostgreSQL
122- Azure Cache for Redis
123- Service Bus
124- Azure SQL Database
125- Storage Accounts
126- Virtual Machines
127- Virtual Networks
128 
129## Tools Used
130 
131| Tool | Purpose |
132|------|---------|
133| `mcp_azure_mcp_extension_azqr` | Run azqr scans via Azure MCP |
134| `mcp_azure_mcp_subscription_list` | List available subscriptions |
135| `mcp_azure_mcp_group_list` | List resource groups in subscription |
136 
137## Troubleshooting
138 
139| Issue | Symptom | Solution |
140|-------|---------|----------|
141| Permission denied | 403 errors during scan | Verify Reader role on scope |
142| Not authenticated | `AADSTS` errors | Run `az login` first |
143| Slow scan | Scan takes very long | Use resource group scope |
144 
145## Example Prompts
146 
147- "Check my Azure subscription for compliance issues"
148- "Run azqr on my production resource group"
149- "What Azure resources don't follow best practices?"
150- "Assess my storage accounts for security issues"
151 
152## Reference Documentation
153 
154- [Recommendation Categories](azqr-recommendations.md)
155- [Remediation Patterns](azqr-remediation-patterns.md)
156- [Azure Quick Review Documentation](https://azure.github.io/azqr/docs/)
157- [Azure Proactive Resiliency Library](https://aka.ms/aprl)
158