Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Assess and enforce Azure compliance requirements including policies, regulatory standards, and security baselines
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
references/azure-resource-graph.md
1# Azure Resource Graph Queries for Compliance Auditing2Azure Resource Graph (ARG) enables fast, cross-subscription resource querying using KQL via `az graph query`. Use it for compliance scanning, tag audits, and configuration validation.4## How to Query6Use the `extension_cli_generate` MCP tool to generate `az graph query` commands:8```yaml10mcp_azure_mcp_extension_cli_generate11intent: "query Azure Resource Graph to <describe what you want to audit>"12cli-type: "az"13```14Or construct directly:16```bash18az graph query -q "<KQL>" --query "data[].{name:name, type:type}" -o table19```20> ⚠️ **Prerequisite:** `az extension add --name resource-graph`22## Key Tables24| Table | Contains |26|-------|----------|27| `Resources` | All ARM resources (name, type, location, properties, tags) |28| `ResourceContainers` | Subscriptions, resource groups, management groups |29| `AuthorizationResources` | Role assignments and role definitions |30| `AdvisorResources` | Azure Advisor recommendations |31## Compliance Query Patterns33**Find resources missing a required tag:**35```kql37Resources38| where isnull(tags['Environment']) or isnull(tags['CostCenter'])39| project name, type, resourceGroup, tags40```41**Tag coverage analysis:**43```kql45Resources46| extend hasEnvTag = isnotnull(tags['Environment'])47| summarize total=count(), tagged=countif(hasEnvTag) by type48| extend coverage=round(100.0 * tagged / total, 1)49| order by coverage asc50```51**Find storage accounts without HTTPS enforcement:**53```kql55Resources56| where type =~ 'microsoft.storage/storageaccounts'57| where properties.supportsHttpsTrafficOnly == false58| project name, resourceGroup, location59```60**Find resources with public network access enabled:**62```kql64Resources65| where properties.publicNetworkAccess =~ 'Enabled'66| project name, type, resourceGroup, location67```68**Query role assignments across subscriptions:**70```kql72AuthorizationResources73| where type == 'microsoft.authorization/roleassignments'74| extend principalType = tostring(properties.principalType)75| summarize count() by principalType76```77**Find resource groups without locks:**79```kql81ResourceContainers82| where type == 'microsoft.resources/subscriptions/resourcegroups'83| project rgName=name, rgId=id84| join kind=leftanti (85Resources86| where type == 'microsoft.authorization/locks'87| project rgId=tostring(properties.resourceId)88) on rgId89```90## Tips92- Use `=~` for case-insensitive type matching (resource types are lowercase)94- Navigate properties with `properties.fieldName`95- Use `--first N` to limit result count96- Use `--subscriptions` to scope to specific subscriptions97- Combine with `AdvisorResources` for security recommendations98