Function AzAKSNodePoolInfo-Query-AzARG { $Query = @" Resources | where type == "microsoft.containerservice/managedclusters" | extend properties.agentPoolProfiles | project subscriptionId, name, nodePool = properties.agentPoolProfiles | mv-expand nodePool | project subscriptionId, name, sku = nodePool.vmSize, count = nodePool.['count'], powerState = nodePool.powerState.code "@ Return $Query } Function AzAppServiceDetailed-Query-AzARG { $Query = @" resources | where type has 'microsoft.web' or type =~ 'microsoft.apimanagement/service' or type =~ '' or type =~ '' or type =~ 'microsoft.appconfiguration/configurationstores' | extend type = case( type == 'microsoft.web/serverfarms', "App Service Plans", kind == 'functionapp', "Azure Functions", kind == "api", "API Apps", type == 'microsoft.web/sites', "App Services", type =~ '', 'App Gateways', type =~ '', 'Front Door', type =~ 'microsoft.apimanagement/service', 'API Management', type =~ 'microsoft.web/certificates', 'App Certificates', type =~ 'microsoft.appconfiguration/configurationstores', 'App Config Stores', strcat("Not Translated: ", type)) | where type !has "Not Translated" | extend Sku = case( type =~ 'App Gateways',, type =~ 'Azure Functions', properties.sku, type =~ 'API Management',, type =~ 'App Service Plans',, type =~ 'App Services', properties.sku, type =~ 'App Config Stores',, ' ') | extend State = case( type =~ 'App Config Stores', properties.provisioningState, type =~ 'App Service Plans', properties.status, type =~ 'Azure Functions', properties.enabled, type =~ 'App Services', properties.state, type =~ 'API Management', properties.provisioningState, type =~ 'App Gateways', properties.provisioningState, type =~ 'Front Door', properties.provisioningState, ' ') | mv-expand publicIpId=properties.frontendIPConfigurations | mv-expand publicIpId = | extend publicIpId = tostring(publicIpId) | join kind=leftouter( Resources | where type =~ '' | project publicIpId = id, publicIpAddress = tostring(properties.ipAddress)) on publicIpId | extend PublicIP = case( type =~ 'API Management', properties.publicIPAddresses, type =~ 'App Gateways', publicIpAddress, ' ') | extend Details = pack_all() | project Resource=id, type, subscriptionId, Sku, State, PublicIP, Details "@ Return $Query } Function AzAppServicesHttpsOnly-Query-AzARG { $Query = @" extend httpsOnly = aliases['Microsoft.Web/sites/httpsOnly'] | where type =~'Microsoft.Web/Sites' and httpsOnly =~ 'false' | project AppService=['name'], Kind=['kind'], Subscription=['subscriptionId'] "@ Return $Query } Function AzAppServicesPlanBasicInfo-Query-AzARG { $Query = @" extend sku = aliases['Microsoft.Web/serverfarms/'] | extend NumberOfApps = aliases['Microsoft.Web/serverFarms/numberOfSites'] | where type=~'Microsoft.Web/serverfarms' | project Name=['name'], sku, NumberOfApps, Location=['location'] "@ Return $Query } Function AzAppServicesPlanCount-Query-AzARG { $Query = @" extend sku = aliases['Microsoft.Web/serverfarms/'] | where type=~'Microsoft.Web/serverfarms' | summarize count() by tostring(sku) | project sku, total=count_ "@ Return $Query } Function AzAppServicesPlansCountByWebApps-Query-AzARG { $Query = @" extend NumberOfApps = aliases['Microsoft.Web/serverFarms/numberOfSites'] | where type=~'Microsoft.Web/serverfarms' | project Name=['name'], NumberOfApps, Location=['location'] "@ Return $Query } Function AzAppServicesStopped-Query-AzARG { $Query = @" extend state = aliases['Microsoft.Web/sites/state'] | where type=~'Microsoft.Web/Sites' and state =~ 'stopped' | project AppService=['name'], Kind=['kind'], State=['state'], Subscription=['subscriptionId'] "@ Return $Query } Function AzAppServiceSummaryCount-Query-AzARG { $Query = @" resources | where type has 'microsoft.web' or type =~ 'microsoft.apimanagement/service' or type =~ '' or type =~ '' or type =~ 'microsoft.appconfiguration/configurationstores' | extend type = case( type == 'microsoft.web/serverfarms', "App Service Plans", kind == 'functionapp', "Azure Functions", kind == "api", "API Apps", type == 'microsoft.web/sites', "App Services", type =~ '', 'App Gateways', type =~ '', 'Front Door', type =~ 'microsoft.apimanagement/service', 'API Management', type =~ 'microsoft.web/certificates', 'App Certificates', type =~ 'microsoft.appconfiguration/configurationstores', 'App Config Stores', strcat("Not Translated: ", type)) | where type !has "Not Translated" | summarize count() by type "@ Return $Query } Function AzAutomationLogicDetailed-Query-AzARG { $Query = @" resources | where type has 'microsoft.automation' or type has 'microsoft.logic' or type has 'microsoft.web/customapis' | extend type = case( type =~ 'microsoft.automation/automationaccounts', 'Automation Accounts', type =~ 'microsoft.web/connections', 'LogicApp Connectors', type =~ 'microsoft.web/customapis','LogicApp API Connectors', type =~ 'microsoft.logic/workflows','LogicApps', type =~ 'microsoft.automation/automationaccounts/runbooks', 'Automation Runbooks', type =~ 'microsoft.automation/automationaccounts/configurations', 'Automation Configurations', strcat("Not Translated: ", type)) | extend RunbookType = tostring(properties.runbookType) | extend LogicAppTrigger = properties.definition.triggers | extend LogicAppTrigger = iif(type =~ 'LogicApps', case( LogicAppTrigger has 'manual', tostring(LogicAppTrigger.manual.type), LogicAppTrigger has 'Recurrence', tostring(LogicAppTrigger.Recurrence.type), strcat("Unknown Trigger type", LogicAppTrigger)), LogicAppTrigger) | extend State = case( type =~ 'Automation Runbooks', properties.state, type =~ 'LogicApps', properties.state, type =~ 'Automation Accounts', properties.state, type =~ 'Automation Configurations', properties.state, ' ') | extend CreatedDate = case( type =~ 'Automation Runbooks', properties.creationTime, type =~ 'LogicApps', properties.createdTime, type =~ 'Automation Accounts', properties.creationTime, type =~ 'Automation Configurations', properties.creationTime, ' ') | extend LastModified = case( type =~ 'Automation Runbooks', properties.lastModifiedTime, type =~ 'LogicApps', properties.changedTime, type =~ 'Automation Accounts', properties.lastModifiedTime, type =~ 'Automation Configurations', properties.lastModifiedTime, ' ') | extend Details = pack_all() | project Resource=id, subscriptionId, type, resourceGroup, RunbookType, LogicAppTrigger, State, Details "@ Return $Query } Function AzAutomationLogicSummaryCount-Query-AzARG { $Query = @" resources | where type has 'microsoft.automation' or type has 'microsoft.logic' or type has 'microsoft.web/customapis' | extend type = case( type =~ 'microsoft.automation/automationaccounts', 'Automation Accounts', type == 'microsoft.web/serverfarms', "App Service Plans", kind == 'functionapp', "Azure Functions", kind == "api", "API Apps", type == 'microsoft.web/sites', "App Services", type =~ 'microsoft.web/connections', 'LogicApp Connectors', type =~ 'microsoft.web/customapis','LogicApp API Connectors', type =~ 'microsoft.logic/workflows','LogicApps', type =~ 'microsoft.automation/automationaccounts/runbooks', 'Automation Runbooks', type =~ 'microsoft.automation/automationaccounts/configurations', 'Automation Configurations', strcat("Not Translated: ", type)) | summarize count() by type | where type !has "Not Translated" "@ Return $Query } Function AzAvailabilitySets-Query-AzARG { $Query = @" resources | where type == 'microsoft.compute/availabilitysets' "@ Return $Query } Function AzBackupRecoveryServicesJobs-Query-AzARG { $Query = @" recoveryservicesresources | where type != 'microsoft.recoveryservices/vaults/backupjobs' "@ Return $Query } Function AzBackupRecoveryServicesProtectionItems-Query-AzARG { $Query = @" recoveryservicesresources | where type == 'microsoft.recoveryservices/vaults/backupfabrics/protectioncontainers/protecteditems' "@ Return $Query } Function AzBackupRecoveryServicesVaults-Query-AzARG { $Query = @" resources | where type == 'microsoft.recoveryservices/vaults' "@ Return $Query } Function AzDefenderForCloudDevicesWithoutTVM-Query-AzARG { $Query = @" securityresources | where type == '' | where name contains 'ffff0522-1e88-47fc-8382-2a80ba848f5d' "@ Return $Query } Function AzDefenderForCloudPlans-Query-AzARG { $Query = @" securityresources | where type == '' | project DefenderPlan=name | distinct DefenderPlan | order by DefenderPlan asc "@ Return $Query } Function AzDefenderForCloudPlansStatus-Query-AzARG { #--- BEGIN ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $Query = @" securityresources | where type == '' | extend tier = properties.pricingTier | project DefenderPlan=name,subscriptionId,Pricing=properties.pricingTier | order by DefenderPlan asc "@ Return $Query } Function AzDefenderForCloudRecommendationsSubAssessmentsWithDetailedInfo-Query-AzARG { $Query = @" SecurityResources | where type == '' | extend AssessmentKey = extract('.*assessments/(.+?)/.*',1, id) | project AssessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId | extend SubAssessDescription = properties.description, SubAssessDisplayName = properties.displayName, SubAssessResourceId =, SubAssessResourceSource = properties.resourceDetails.source, SubAssessCategory = properties.category, SubAssessSeverity = properties.status.severity, SubAssessCode = properties.status.code, SubAssessTimeGenerated = properties.timeGenerated, SubAssessRemediation = properties.remediation, SubAssessImpact = properties.impact, SubAssessVulnId =, SubAssessMoreInfo = properties.additionalData, SubAssessMoreInfoAssessedResourceType = properties.additionalData.assessedResourceType, SubAssessMoreInfoData = | join kind=leftouter (resourcecontainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId " "@ Return $Query } Function AzDefenderForCloudRecommendationsWithLink-Query-AzARG { $Query = @" SecurityResources | where type == '' | mvexpand Category=properties.metadata.categories | extend AssessmentId=id, AssessmentKey=name, ResourceId=properties.resourceDetails.Id, ResourceIdsplit = split(properties.resourceDetails.Id,'/'), RecommendationId=name, RecommendationName=properties.displayName, Source=properties.resourceDetails.Source, RecommendationState=properties.status.code, ActionDescription=properties.metadata.description, AssessmentType=properties.metadata.assessmentType, RemediationDescription=properties.metadata.remediationDescription, PolicyDefinitionId=properties.metadata.policyDefinitionId, ImplementationEffort=properties.metadata.implementationEffort, RecommendationSeverity=properties.metadata.severity, Threats=properties.metadata.threats, UserImpact=properties.metadata.userImpact, AzPortalLink=properties.links.azurePortal, MoreInfo=properties | extend ResourceSubId = tostring(ResourceIdsplit[(2)]), ResourceRgName = tostring(ResourceIdsplit[(4)]), ResourceType = tostring(ResourceIdsplit[(6)]), ResourceName = tostring(ResourceIdsplit[(8)]), FirstEvaluationDate = MoreInfo.status.firstEvaluationDate, StatusChangeDate = MoreInfo.status.statusChangeDate, Status = MoreInfo.status.code | join kind=leftouter (resourcecontainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where AssessmentType == 'BuiltIn' | project-away kind,managedBy,sku,plan,tags,identity,zones,location,ResourceIdsplit,id,name,type,resourceGroup,subscriptionId, extendedLocation,subscriptionId1 | project SubName, ResourceSubId, ResourceRgName,ResourceType,ResourceName,TenantId=tenantId, RecommendationName, RecommendationId, RecommendationState, RecommendationSeverity, AssessmentType, PolicyDefinitionId, ImplementationEffort, UserImpact, Category, Threats, Source, ActionDescription, RemediationDescription, MoreInfo, ResourceId, AzPortalLink, AssessmentKey | where RecommendationState == 'Unhealthy' "@ Return $Query } Function AzDefenderForCloudRecommendationsWithSubAssessments-Query-AzARG { $Query = @" SecurityResources | where type == '' | mvexpand Category=properties.metadata.categories | extend AssessmentId=id, AssessmentKey=name, ResourceId=properties.resourceDetails.Id, ResourceIdsplit = split(properties.resourceDetails.Id,'/'), RecommendationId=name, RecommendationName=properties.displayName, Source=properties.resourceDetails.Source, RecommendationState=properties.status.code, ActionDescription=properties.metadata.description, AssessmentType=properties.metadata.assessmentType, RemediationDescription=properties.metadata.remediationDescription, PolicyDefinitionId=properties.metadata.policyDefinitionId, ImplementationEffort=properties.metadata.implementationEffort, RecommendationSeverity=properties.metadata.severity, Threats=properties.metadata.threats, UserImpact=properties.metadata.userImpact, AzPortalLink=properties.links.azurePortal, MoreInfo=properties | extend ResourceSubId = tostring(ResourceIdsplit[(2)]), ResourceRgName = tostring(ResourceIdsplit[(4)]), ResourceType = tostring(ResourceIdsplit[(6)]), ResourceName = tostring(ResourceIdsplit[(8)]), FirstEvaluationDate = MoreInfo.status.firstEvaluationDate, StatusChangeDate = MoreInfo.status.statusChangeDate, Status = MoreInfo.status.code | join kind=leftouter (resourcecontainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where AssessmentType == 'BuiltIn' | project-away kind,managedBy,sku,plan,tags,identity,zones,location,ResourceIdsplit,id,name,type,resourceGroup,subscriptionId, extendedLocation,subscriptionId1 | project SubName, ResourceSubId, ResourceRgName,ResourceType,ResourceName,TenantId=tenantId, RecommendationName, RecommendationId, RecommendationState, RecommendationSeverity, AssessmentType, PolicyDefinitionId, ImplementationEffort, UserImpact, Category, Threats, Source, ActionDescription, RemediationDescription, MoreInfo, ResourceId, AzPortalLink, AssessmentKey | where RecommendationState == 'Unhealthy' | join kind=leftouter ( securityresources | where type == '' | extend AssessmentKey = extract('.*assessments/(.+?)/.*',1, id) | project AssessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId | extend SubAssessmentSescription = properties.description, SubAssessmentDisplayName = properties.displayName, SubAssessmentResourceId =, SubAssessmentResourceSource = properties.resourceDetails.source, SubAssessmentCategory = properties.category, SubAssessmentSeverity = properties.status.severity, SubAssessmentCode = properties.status.code, SubAssessmentTimeGenerated = properties.timeGenerated, SubAssessmentRemediation = properties.remediation, SubAssessmentImpact = properties.impact, SubAssessmentVulnId =, SubAssessmentMoreInfo = properties.additionalData, SubAssessmentMoreInfoAssessedResourceType = properties.additionalData.assessedResourceType, SubAssessmentMoreInfoData = ) on AssessmentKey "@ Return $Query } Function AzDisksIllogicalSizes-Query-AzARG { $Query = @" where type == 'microsoft.compute/disks' | where properties.diskSizeGB > 128 or properties.diskSizeGB < 126 | where properties.diskSizeGB > 256 or properties.diskSizeGB < 250 | where properties.diskSizeGB > 512 or properties.diskSizeGB < 490 | where properties.diskSizeGB > 1024 or properties.diskSizeGB < 1000 | where properties.diskSizeGB > 2048 or properties.diskSizeGB < 2030 | where properties.diskSizeGB > 4096 or properties.diskSizeGB < 4090 | project Name=name, Size=properties.diskSizeGB, ResourceGroup=resourceGroup, Subscription=subscriptionId "@ Return $Query } Function AzEventResourcesDetailed-Query-AzARG { $Query = @" resources | where type has 'microsoft.servicebus' or type has 'microsoft.eventhub' or type has 'microsoft.eventgrid' or type has 'microsoft.relay' | extend type = case( type == 'microsoft.eventgrid/systemtopics', "EventGrid System Topics", type =~ "microsoft.eventgrid/topics", "EventGrid Topics", type =~ 'microsoft.eventhub/namespaces', "EventHub Namespaces", type =~ 'microsoft.servicebus/namespaces', 'ServiceBus Namespaces', type =~ 'microsoft.relay/namespaces', 'Relays', strcat("Not Translated: ", type)) | extend Sku = case( type =~ 'Relays',, type =~ 'EventGrid System Topics', properties.sku, type =~ 'EventGrid Topics',, type =~ 'EventHub Namespaces',, type =~ 'ServiceBus Namespaces', sku.sku, ' ') | extend Endpoint = case( type =~ 'Relays', properties.serviceBusEndpoint, type =~ 'EventGrid Topics', properties.endpoint, type =~ 'EventHub Namespaces', properties.serviceBusEndpoint, type =~ 'ServiceBus Namespaces', properties.serviceBusEndpoint, ' ') | extend Status = case( type =~ 'Relays', properties.provisioningState, type =~ 'EventGrid System Topics', properties.provisioningState, type =~ 'EventGrid Topics', properties.publicNetworkAccess, type =~ 'EventHub Namespaces', properties.status, type =~ 'ServiceBus Namespaces', properties.status, ' ') | extend Details = pack_all() | project Resource=id, subscriptionId, resourceGroup, Sku, Status, Endpoint, Details "@ Return $Query } Function AzEventResourcesSummaryCount-Query-AzARG { $Query = @" resources | where type has 'microsoft.servicebus' or type has 'microsoft.eventhub' or type has 'microsoft.eventgrid' or type has 'microsoft.relay' | extend type = case( type == 'microsoft.eventgrid/systemtopics', "EventGrid System Topics", type =~ "microsoft.eventgrid/topics", "EventGrid Topics", type =~ 'microsoft.eventhub/namespaces', "EventHub Namespaces", type =~ 'microsoft.servicebus/namespaces', 'ServiceBus Namespaces', type =~ 'microsoft.relay/namespaces', 'Relays', strcat("Not Translated: ", type)) | where type !has "Not Translated" | summarize count() by type "@ Return $Query } Function AzExtensionStatus-Query-AzARG { $Query = @" Resources | where (type == 'microsoft.compute/virtualmachines') or (type == 'microsoft.hybridcompute/machines') | extend JoinID = toupper(id) | join kind=leftouter( Resources | where (type == 'microsoft.compute/virtualmachines/extensions') or (type == 'microsoft.hybridcompute/machines/extensions') | extend VMId = toupper(substring(id, 0, indexof(id, '/extensions'))) | extend ExtName = name | extend ExtprovisioningState = properties.provisioningState | extend ExtType = properties.type | extend ExtAutoUpgradeMinorVersion = properties.autoUpgradeMinorVersion | extend ExtTypeHandlerVersion = properties.typeHandlerVersion | extend ExtPublisher = properties.publisher | extend ExtSettings = properties.settings | extend ExtStatus = properties.instanceView | extend ExtStatusMessage = properties.instanceView.status.message ) on $left.JoinID == $right.VMId "@ Return $Query } Function AzFrontdoorRoutingRulesAcceptedPorts-Query-AzARG { $Query = @" resources | where type == "" | project subscriptionId, frontDoorName=name, routingRules = (properties.routingRules) | mv-expand routingRules | project subscriptionId, frontDoorName,, protocols = "@ Return $Query } Function AzHybridMachines-Query-AzARG { #--- BEGIN ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $Query = @" resources | where type == 'microsoft.hybridcompute/machines' "@ Return $Query } Function AzHybridMachinesWithTags-Query-AzARG { $Query = @" resources | where type == 'microsoft.hybridcompute/machines' | project id,name,type,location,resourceGroup,subscriptionId,tags,domain=tostring(properties.domainName) | mvexpand tags | extend tagKey = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagKey]) "@ Return $Query } Function AzIPAddressAzNativeVMs-Query-AzARG { $Query = @" Resources | where type =~ 'microsoft.compute/virtualmachines' | project id, vmId = tolower(tostring(id)), vmName = name | join (Resources | where type =~ '' | mv-expand ipconfig=properties.ipConfigurations | project vmId = tolower(tostring(, privateIp =, publicIpId = tostring( | join kind=leftouter (Resources | where type =~ '' | project publicIpId = id, publicIp = properties.ipAddress ) on publicIpId | project-away publicIpId, publicIpId1 | summarize privateIps = make_list(privateIp), publicIps = make_list(publicIp) by vmId ) on vmId | project-away vmId, vmId1 | sort by vmName asc "@ Return $Query } Function AzMGs-Query-AzARG { $Query = @" resourcecontainers | where type == '' "@ Return $Query } Function AzMGsWithParentHierarchy-Query-AzARG { $Query = @" resourcecontainers | where type == '' | extend mgParent = properties.details.managementGroupAncestorsChain | mv-expand with_itemindex=MGHierarchy mgParent | project id, name, properties.displayName, mgParent, MGHierarchy, | sort by MGHierarchy asc "@ Return $Query } Function AzMonResources-Query-AzARG { $Query = @" AlertsManagementResources | extend AlertStatus = properties.essentials.monitorCondition | extend AlertState = properties.essentials.alertState | extend AlertTime = properties.essentials.startDateTime | extend AlertSuppressed = properties.essentials.actionStatus.isSuppressed | extend Severity = properties.essentials.severity | where AlertStatus == 'Fired' | extend Details = pack_all() | project id, name, subscriptionId, resourceGroup, AlertStatus, AlertState, AlertTime, AlertSuppressed, Severity, Details "@ Return $Query } Function AzMonAppInsightsDetailed-Query-AzARG { $Query = @" resources | where type =~ 'microsoft.insights/components' | extend RetentionInDays = properties.RetentionInDays | extend IngestionMode = properties.IngestionMode | extend Details = pack_all() | project Resource=id, location, resourceGroup, subscriptionId, IngestionMode, RetentionInDays, Details "@ Return $Query } Function AzMonDataCollectionEndpoints-Query-AzARG { $Query = @" Resources | where type =~ 'microsoft.insights/datacollectionendpoints' "@ Return $Query } Function AzMonDataCollectionRules-Query-AzARG { $Query = @" Resources | where type =~ 'microsoft.insights/datacollectionrules' "@ Return $Query } Function AzMonLogAnalyticsDetailed-Query-AzARG { $Query = @" resources | where type =~ 'microsoft.operationalinsights/workspaces' | extend Sku = | extend RetentionInDays = properties.retentionInDays | extend Details = pack_all() | project Workspace=id, resourceGroup, location, subscriptionId, Sku, RetentionInDays, Details "@ Return $Query } Function AzMonLogAnalyticsWorkspaces-Query-AzARG { $Query = @" resources | where type =~ 'microsoft.operationalinsights/workspaces' or type =~ 'microsoft.insights/components' | summarize count() by type | extend type = case( type == 'microsoft.insights/components', "Application Insights", type == 'microsoft.operationalinsights/workspaces', "Log Analytics workspaces", strcat(type, type)) "@ Return $Query } Function AzMonResources-Query-AzARG { $Query = @" resources | where type has 'microsoft.insights/' or type has 'microsoft.alertsmanagement/ smartdetectoralertrules' or type has 'microsoft.portal/dashboards' | where type != 'microsoft.insights/components' | extend type = case( type == 'microsoft.insights/workbooks', "Workbooks", type == 'microsoft.insights/activitylogalerts', "Activity Log Alerts", type == 'microsoft.insights/scheduledqueryrules', "Log Search Alerts", type == 'microsoft.insights/actiongroups', "Action Groups", type == 'microsoft.insights/metricalerts', "Metric Alerts", type =~ 'microsoft.alertsmanagement/smartdetectoralertrules','Smart Detection Rules', type =~ 'microsoft.insights/webtests', 'URL Web Tests', type =~ 'microsoft.portal/dashboards', 'Portal Dashboards', type =~ 'microsoft.insights/datacollectionrules', 'Data Collection Rules', strcat("Not Translated: ", type)) | summarize count() by type "@ Return $Query } Function AzMonResourcesDetailed-Query-AzARG { $Query = @" resources | where type has 'microsoft.insights/' or type has 'microsoft.alertsmanagement/smartdetectoralertrules' or type has 'microsoft.portal/dashboards' | where type != 'microsoft.insights/components' | extend type = case( type == 'microsoft.insights/workbooks', "Workbooks", type == 'microsoft.insights/activitylogalerts', "Activity Log Alerts", type == 'microsoft.insights/scheduledqueryrules', "Log Search Alerts", type == 'microsoft.insights/actiongroups', "Action Groups", type == 'microsoft.insights/metricalerts', "Metric Alerts", type =~ 'microsoft.alertsmanagement/smartdetectoralertrules','Smart Detection Rules', type =~ 'microsoft.portal/dashboards', 'Portal Dashboards', strcat("Not Translated: ", type)) | extend Enabled = case( type =~ 'Smart Detection Rules', properties.state, type != 'Smart Detection Rules', properties.enabled, strcat("Not Translated: ", type)) | extend WorkbookType = iif(type =~ 'Workbooks', properties.category, ' ') | extend Details = pack_all() | project name, type, subscriptionId, location, resourceGroup, Enabled, WorkbookType, Details "@ Return $Query } Function AzNativeVMs-Query-AzARG { $Query = @" Resources | where type == 'microsoft.compute/virtualmachines' | extend osType = properties.storageProfile.osDisk.osType | extend osVersion = properties.extended.instanceView.osVersion | extend osName = properties.extended.instanceView.osName | extend vmName = properties.osProfile.computerName | extend licenseType = properties.licenseType | extend PowerState = properties.extended.instanceView.powerState.displayStatus | order by id, resourceGroup desc "@ Return $Query } Function AzNativeVMsCountByImageOffer-Query-AzARG { $Query = @" extend OsOffer = aliases['Microsoft.Compute/virtualMachines/storageProfile.imageReference.offer'] | where type =~ 'Microsoft.Compute/virtualmachines' | summarize count() by tostring(OsOffer) | project OsOffer, total=count_ "@ Return $Query } Function AzNativeVMsCountByOS-Query-AzARG { $Query = @" extend Os = aliases['Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType'] | where type =~ 'Microsoft.Compute/virtualmachines' | summarize count() by tostring(Os) | project Os, total=count_ "@ Return $Query } Function AzDisksIllogicalSizes-Query-AzARG { $Query = @" where type == 'microsoft.compute/disks' | where properties.diskSizeGB > 128 or properties.diskSizeGB < 126 | where properties.diskSizeGB > 256 or properties.diskSizeGB < 250 | where properties.diskSizeGB > 512 or properties.diskSizeGB < 490 | where properties.diskSizeGB > 1024 or properties.diskSizeGB < 1000 | where properties.diskSizeGB > 2048 or properties.diskSizeGB < 2030 | where properties.diskSizeGB > 4096 or properties.diskSizeGB < 4090 | project Name=name, Size=properties.diskSizeGB, ResourceGroup=resourceGroup, Subscription=subscriptionId "@ Return $Query } Function AzNativeVMsCountBySizeLocation-Query-AzARG { $Query = @" Resources | where type == "microsoft.compute/virtualmachines" | summarize Count=count(properties.hardwareProfile.vmSize) by OS=tostring(properties.storageProfile.osDisk.osType), location, vmSize=tostring(properties.hardwareProfile.vmSize) "@ Return $Query } Function AzNativeVMsDiskSizeSkuByLocation-Query-AzARG { $Query = @" Resources | where type contains "microsoft.compute/disks" | summarize DiskSizeGB=sum(toint(properties.diskSizeGB)) by DiskSku=tostring(, location "@ Return $Query } Function AzNativeVMsDiskSizeTotal-Query-AzARG { $Query = @" Resources | where type contains "microsoft.compute/disks" | summarize DiskSizeGB=sum(toint(properties.diskSizeGB)) "@ Return $Query } Function AzNativeVMsHybridMachines-Query-AzARG { $Query = @" Resources | where type in ('microsoft.compute/virtualmachines','microsoft.hybridcompute/machines') | extend ostype = properties.osType | extend provisioningState = properties.provisioningState | extend licensetype = properties.licensetype | extend displayname = properties.displayName | extend status = properties.status | extend computerName = properties.osprofile.computerName | extend osVersion = properties.osVersion | extend osName = properties.osName | extend manufacturer = properties.detectedProperties.manufacturer | extend model = properties.detectedProperties.model | extend lastStatusChange = properties.lastStatusChange | extend agentVersion = properties.agentVersion | extend machineFqdn = properties.machineFqdn | extend domainName = properties.domainName | extend dnsFqdn = properties.dnsFqdn | extend adFqdn = properties.adFqdn | extend osSku = properties.osSku "@ Return $Query } Function AzNativeVMsSizeCount-Query-AzARG { $Query = @" Resources | where type == "microsoft.compute/virtualmachines" | summarize Count=count(properties.hardwareProfile.vmSize) by vmSize=tostring(properties.hardwareProfile.vmSize) "@ Return $Query } Function AzNativeVMsStatusCount-Query-AzARG { $Query = @" Resources | where type == "microsoft.compute/virtualmachines" | extend vmState = tostring(properties.extended.instanceView.powerState.displayStatus) | extend vmState = iif(isempty(vmState), "VM State Unknown", (vmState)) | summarize count() by vmState "@ Return $Query } Function AzNativeVMsStorageAdvProfile-Query-AzARG { $Query = @" Resources | where type == "microsoft.compute/virtualmachines" | extend osDiskId= tostring( | join kind=leftouter( resources | where type =~ 'microsoft.compute/disks' | where properties !has 'Unattached' | where properties has 'osType' | project OS = tostring(properties.osType), osSku = tostring(, osDiskSizeGB = toint(properties.diskSizeGB), osDiskId=tostring(id)) on osDiskId | join kind=leftouter( resources | where type =~ 'microsoft.compute/disks' | where properties !has "osType" | where properties !has 'Unattached' | project sku = tostring(, diskSizeGB = toint(properties.diskSizeGB), id = managedBy | summarize sum(diskSizeGB), count(sku) by id, sku) on id | project vmId=id, OS, location, resourceGroup, subscriptionId, osDiskId, osSku, osDiskSizeGB, DataDisksGB=sum_diskSizeGB, diskSkuCount=count_sku | sort by diskSkuCount desc "@ Return $Query } Function AzNativeVMsStorageProfile-Query-AzARG { $Query = @" Resources | where type contains "microsoft.compute/disks" | project Os=properties.osType,, DiskSizeGB=properties.diskSizeGB, id = managedBy | join (Resources | where type == "microsoft.compute/virtualmachines") on id "@ Return $Query } Function AzNativeVMsWithDefenderForCloudPlanEnabled-Query-AzARG { $Query = @" securityresources | where type == '' | extend tier = properties.pricingTier | where ( (name == 'VirtualMachines') and (properties.pricingTier == 'Standard') ) | project DefenderPlan=name,subscriptionId,Pricing=properties.pricingTier | join kind=leftouter ( resources | where type in ('microsoft.compute/virtualmachines','microsoft.hybridcompute/machines') | project name, type, subscriptionId, resourceGroup, location ) on subscriptionId | project DefenderPlan, Pricing, name, type, subscriptionId, resourceGroup, location | where name != "" "@ Return $Query } Function AzNativeVMsWithNICsPublicIP-Query-AzARG { $Query = @" Resources | where type =~ 'microsoft.compute/virtualmachines' | extend nics=array_length(properties.networkProfile.networkInterfaces) | mv-expand nic=properties.networkProfile.networkInterfaces | where nics == 1 or =~ 'true' or isempty(nic) | project vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring( | join kind=leftouter ( Resources | where type =~ '' | extend ipConfigsCount=array_length(properties.ipConfigurations) | mv-expand ipconfig=properties.ipConfigurations | where ipConfigsCount == 1 or =~ 'true' | project nicId = id, privateIP= tostring(, publicIpId = tostring(, subscriptionId) on nicId | project-away nicId1 | summarize by vmId, vmSize, nicId, privateIP, publicIpId, subscriptionId | join kind=leftouter ( Resources | where type =~ '' | project publicIpId = id, publicIpAddress = tostring(properties.ipAddress)) on publicIpId | project-away publicIpId1 | sort by publicIpAddress desc "@ Return $Query } Function AzNativeVMsWithTags-Query-AzARG { $Query = @" resources | where type == 'microsoft.compute/virtualmachines' | project id,name,type,location,resourceGroup,subscriptionId,tags | mvexpand tags | extend tagKey = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagKey]) "@ Return $Query } Function AzNetworkNSGRules-Query-AzARG { $Query = @" Resources | where type =~ '' | project id, nsgRules = parse_json(parse_json(properties).securityRules), networksecurityGroupName = name, subscriptionId, resourceGroup , location | mvexpand nsgRule = nsgRules | project id, location,, ,,provisioningState= ,, sourceAddressPrefix =, sourceAddressPrefixes =, destinationAddressPrefix =, destinationAddressPrefixes =, networksecurityGroupName, networksecurityRuleName = tostring(, subscriptionId, resourceGroup, destinationPortRanges =, destinationPortRange =, sourcePortRanges =, sourcePortRange = | extend Details = pack_all() | project id, location, access, direction, subscriptionId, resourceGroup, Details "@ Return $Query } Function AzNetworkNSGsUnassociated-Query-AzARG { $Query = @" Resources | where type =~ '' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project Resource=id, resourceGroup, subscriptionId, location "@ Return $Query } Function AzNetworkPublicIPs-Query-AzARG { $Query = @" Resources | where type == "" | summarize PIPs=count() by IPType=tostring(properties.publicIPAddressVersion) "@ Return $Query } Function AzNetworkResources-Query-AzARG { $Query = @" resources | where type has "" | extend type = case( type == '', "NICs", type == '', "NSGs", type == "", "Public IPs", type == '', "vNets", type == '', "Connection Monitors", type == '', "Private DNS", type == '', @"vNet Gateways", type == '', "Connections", type == '', "Network Watchers", type == '', "Private Endpoints", type == '', "Local Network Gateways", type == '', "vNet Links", type == '', 'DNS Zones', type == '', 'Flow Logs', type == '', 'Route Tables', type == '', 'Load Balancers', strcat("Not Translated: ", type)) | summarize count() by type | where type !has "Not Translated" "@ Return $Query } Function AzNetworkRouteTables-Query-AzARG { $Query = @" resources | where type =~ '' | project id, routes = parse_json(parse_json(properties).routes), routeTableName = name, subscriptionId, resourceGroup, location | mvexpand route = routes | project id, location,,,,, routeTableName, routeName = tostring(, subscriptionId, resourceGroup | extend Details = pack_all() | project id, routeTableName, location, addressPrefix, nextHopType, nextHopIpAddress, subscriptionId, resourceGroup, Details "@ Return $Query } Function AzNetworkSubnets-Query-AzARG { $Query = @" resources | where type == "" | project vnetName = name, subnets = (properties.subnets) | mvexpand subnets | extend subnetName = ( | project vnetName, subnetName "@ Return $Query } Function AzNetworkSubnetsAddressSpace-Query-AzARG { $Query = @" resources | where type == "" | project vnetName = name, subnets = (properties.subnets) | mvexpand subnets | extend subnetName = ( | extend mask = split(, '/', 1)[0] | extend usedIp = array_length( | extend totalIp = case(mask == 29, 3, mask == 28, 11, mask == 27, 27, mask == 26, 59, mask == 25, 123, mask == 24, 251, mask == 23, 507, mask == 22, 1019, mask == 21, 2043, mask == 20, 4091, mask == 19, 8187, mask == 18, 16379, mask == 17, 32763, mask == 16, 65531, mask == 15, 131067, mask == 14, 262139, mask == 13, 524283, mask == 12, 1048571, mask == 11, 2097147, mask == 10, 4194299, mask == 9, 8388603, mask == 8, 16777211, -1) | extend availableIp = totalIp - usedIp | project vnetName, subnetName, mask, usedIp, totalIp, availableIp, subnets | order by toint(mask) desc "@ Return $Query } Function AzNetworkSubnetsWithDelegations-Query-AzARG { $Query = @" resources | where type == "" | project vnetName = name, subnets = (properties.subnets) | mvexpand subnets | extend subnetName = ( | extend isDelegated = isnotnull( and array_length( != 0 | where isDelegated == 1 | project vnetName, subnetName "@ Return $Query } Function AzNetworkSubnetsWithNSG-Query-AzARG { $Query = @" resources | where type == "" | project vnetName = name, subnets = (properties.subnets) | mvexpand subnets | extend subnetName = ( | extend hasNSG = isnotnull( | where hasNSG == 1 | project vnetName, subnetName "@ Return $Query } Function AzNetworkSubnetsWithRouteTable-Query-AzARG { $Query = @" resources | where type == "" | project vnetName = name, subnets = (properties.subnets) | mvexpand subnets | extend subnetName = ( | extend hasRouteTable = isnotnull( | where hasRouteTable == 1 | project vnetName, subnetName "@ Return $Query } Function AzNetworkSubnetsWithServiceEndpoints-Query-AzARG { $Query = @" resources | where type == "" | project vnetName = name, subnets = (properties.subnets) | mvexpand subnets | extend subnetName = ( | extend hasServiceEndpoints = isnotnull( and array_length( != 0 | where hasServiceEndpoints == 1 | project vnetName, subnetName "@ Return $Query } Function AzOrphanedAvailabilitySets-Query-AzARG { $Query = @" resources | where type =~ 'microsoft.compute/availabilitysets' | extend VirtualMachines = array_length(properties.virtualMachines) | where VirtualMachines == 0 "@ Return $Query } Function AzOrphanedDisks-Query-AzARG { $Query = @" Resources | where type has "microsoft.compute/disks" | extend diskState = tostring(properties.diskState) | where managedBy == "" and diskState != 'ActiveSAS' or diskState == 'Unattached' and diskState != 'ActiveSAS' | project id, diskState, resourceGroup, location, subscriptionId "@ Return $Query } Function AzOrphanedNICs-Query-AzARG { $Query = @" resources | where type =~ "" | join kind=leftouter (resources | where type =~ '' | extend nic = todynamic(properties.networkInterfaces) | mv-expand nic | project id=tostring( ) on id | where isempty(id1) | where properties !has 'virtualmachine' | project id, resourceGroup, location, subscriptionId "@ Return $Query } Function AzOrphanedNSGs-Query-AzARG { $Query = @" Resources | where type =~ '' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project Resource=id, resourceGroup, subscriptionId, location "@ Return $Query } Function AzOrphanedPublicIPs-Query-AzARG { $Query = @" resources | where type =~ '' | extend IpConfig = | where isempty(IpConfig) | extend natGateway = | where isempty(natGateway) | order by ['name'] asc "@ Return $Query } Function AzOrphanedWebAPIConnections-Query-AzARG { $Query = @" resources | where type =~ 'Microsoft.Web/connections' |project id |join kind= leftouter ( resources | where type == 'microsoft.logic/workflows' |extend propertiesJson=parse_json(properties) |extend ConJson=propertiesJson["parameters"]["$connections"]["value"] |mvexpand Conn=ConJson |where notnull(Conn) |extend connectionId=extract(""connectionId":"(.*)"",1,tostring(Conn)) |project connectionId ) on $$right.connectionId "@ Return $Query } Function AzPolicyAssignmentCountByScope-Query-AzARG { $Query = @" policyresources | where type == "microsoft.authorization/policyassignments" | extend scope = tostring(properties.scope) | summarize count() by scope | order by count_ desc "@ Return $Query } Function AzPolicyDefinitionsCountByScope-Query-AzARG { $Query = @" policyresources | where type == "microsoft.authorization/policydefinitions" | extend policyType = tostring(properties.policyType) | where policyType == "Custom" | project id | extend scope = tostring(split(id, "/providers/Microsoft.Authorization/policyDefinitions/", 0)[0]) | summarize count() by scope | order by count_ desc "@ Return $Query } Function AzPolicyUnused-Query-AzARG { $Query = @" policyresources | where type == "microsoft.authorization/policydefinitions" | extend policyType = tostring(properties.policyType) | where policyType == "Custom" | join kind=leftouter ( policyresources | where type == "microsoft.authorization/policysetdefinitions" | extend policyType = tostring(properties.policyType) | extend policyDefinitions = properties.policyDefinitions | where policyType == "Custom" | mv-expand policyDefinitions | extend policyDefinitionId = tostring(policyDefinitions.policyDefinitionId) | project associedIdToInitiative=policyDefinitionId | distinct associedIdToInitiative) on $ == $right.associedIdToInitiative | where associedIdToInitiative == "" | join kind=leftouter( policyresources | where type == "microsoft.authorization/policyassignments" | extend policyDefinitionId = tostring(properties.policyDefinitionId) | project associatedDefinitionId=policyDefinitionId | distinct associatedDefinitionId ) on $ == $right.associatedDefinitionId | where associatedDefinitionId == "" | extend displayName = tostring(properties.displayName) | project id, displayName "@ Return $Query } Function AzResources-Query-AzARG { $Query = @" resources "@ Return $Query } Function AzResourcesWithTags-Query-AzARG { $Query = @" resources | project id,name,type,location,resourceGroup,subscriptionId,tags | mvexpand tags | extend tagKey = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagKey]) "@ Return $Query } Function AzResourceTypes-Query-AzARG { $Query = @" resources | distinct type "@ Return $Query } Function AzRGs-Query-AzARG { $Query = @" resourcecontainers | where type == 'microsoft.resources/subscriptions/resourcegroups' "@ Return $Query } Function AzRGsWithTags-Query-AzARG { $Query = @" resourcecontainers | project id,name,type,location,resourceGroup,subscriptionId,tags | mvexpand tags | extend tagKey = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagKey]) "@ Return $Query } Function AzRoleAssignments-Query-AzARG { $Query = @" authorizationResources | where type == 'microsoft.authorization/roleassignments' | extend roleDefinitionIdFull = tostring(properties.roleDefinitionId) | extend roleDefinitionIdsplit = split(roleDefinitionIdFull,'/') | extend roleDefinitionId = tostring(roleDefinitionIdsplit[(4)]) | extend roleAssignmentPrincipalType = properties.principalType | extend roleAssignmentDescription = properties.description | extend roleAssignmentPrincipalId = properties.principalId | extend roleAssignmentCreatedOn = properties.createdOn | extend roleAssignmentUpdatedOn = properties.updatedOn | extend roleAssignmentUpdatedById = properties.updatedBy | extend roleAssignmentCreatedById = properties.createdBy | extend roleAssignmentScope = properties.scope | project-away managedBy,kind,sku,plan,tags,identity,zones,location,resourceGroup,subscriptionId, extendedLocation,tenantId | join kind=leftouter (authorizationResources | where type == 'microsoft.authorization/roledefinitions' | extend roleDefinitionIdFull = tostring(id) | extend roleDefinitionIdsplit = split(roleDefinitionIdFull,'/') | extend roleDefinitionId = tostring(roleDefinitionIdsplit[(4)]) | extend description = properties.description | extend roleName = properties.roleName | extend roleType = properties.type | project-away managedBy,kind,sku,plan,tags,identity,zones,location,resourceGroup,subscriptionId, extendedLocation,tenantId) on roleDefinitionId | project roleDefinitionId,roleName,roleType,roleAssignmentPrincipalType,roleAssignmentPrincipalId,roleAssignmentCreatedOn,roleAssignmentUpdatedOn,roleAssignmentUpdatedById,roleAssignmentCreatedById,roleAssignmentScope "@ Return $Query } Function AzSecureScoreByControls-Query-AzARG { $Query = @" SecurityResources | where type == '' | extend SecureControl = properties.displayName, unhealthy = properties.unhealthyResourceCount, currentscore = properties.score.current, maxscore = properties.score.max, subscriptionId | project SecureControl , unhealthy, currentscore, maxscore, subscriptionId "@ Return $Query } Function AzSecureScoreSubscription-Query-AzARG { $Query = @" securityresources | where type == "" | extend subscriptionSecureScore = round(100 * bin((todouble(properties.score.current))/ todouble(properties.score.max), 0.001)) | where subscriptionSecureScore > 0 | project subscriptionSecureScore, subscriptionId | order by subscriptionSecureScore asc "@ Return $Query } Function AzSQLDatabasesByLocation-Query-AzARG { $Query = @" where type=~ 'Microsoft.DBforMySQL/servers' or type=~'Microsoft.SQL/servers/databases' or type=~'Microsoft.DBforPostgreSQL/servers' or type=~'Microsoft.DBforMariaDB/servers' | summarize count() by location | project location, total=count_ | order by total desc "@ Return $Query } Function AzSQLDatabasesOverview-Query-AzARG { $Query = @" where type=~ 'Microsoft.DBforMySQL/servers' or type=~'Microsoft.SQL/servers/databases' or type=~'Microsoft.DBforPostgreSQL/servers' or type=~'Microsoft.DBforMariaDB/servers' | project name, type, location, subscriptionId "@ Return $Query } Function AzSQLDetailed-Query-AzARG { $Query = @" resources | where type =~ 'microsoft.documentdb/databaseaccounts' or type =~ 'microsoft.sql/servers/databases' or type =~ 'microsoft.dbformysql/servers' or type =~ 'microsoft.sql/servers' | extend type = case( type =~ 'microsoft.documentdb/databaseaccounts', 'CosmosDB', type =~ 'microsoft.sql/servers/databases', 'SQL DBs', type =~ 'microsoft.dbformysql/servers', 'MySQL', type =~ 'microsoft.sql/servers', 'SQL Servers', strcat("Not Translated: ", type)) | extend Sku = case( type =~ 'CosmosDB', properties.databaseAccountOfferType, type =~ 'SQL DBs',, type =~ 'MySQL',, ' ') | extend Status = case( type =~ 'CosmosDB', properties.provisioningState, type =~ 'SQL DBs', properties.status, type =~ 'MySQL', properties.userVisibleState, ' ') | extend Endpoint = case( type =~ 'MySQL', properties.fullyQualifiedDomainName, type =~ 'SQL Servers', properties.fullyQualifiedDomainName, type =~ 'CosmosDB', properties.documentEndpoint, ' ') | extend maxSizeGB = todouble(case( type =~ 'SQL DBs', properties.maxSizeBytes, type =~ 'MySQL', properties.storageProfile.storageMB, ' ')) | extend maxSizeGB = iif(type has 'SQL DBs', maxSizeGB /1000 /1000, maxSizeGB) | extend Details = pack_all() | project Resource=id, resourceGroup, subscriptionId, type, Sku, Status, Endpoint, maxSizeGB, Details "@ Return $Query } Function AzSQLPaaSCountByType-Query-AzARG { $Query = @" where type=~ 'Microsoft.DBforMySQL/servers' or type=~'Microsoft.SQL/servers/databases' or type=~'Microsoft.DBforPostgreSQL/servers' or type=~'Microsoft.DBforMariaDB/servers' | summarize count() by type | project type, total=count_ | order by total desc "@ Return $Query } Function AzSQLSummaryCount-Query-AzARG { $Query = @" resources | where type =~ 'microsoft.documentdb/databaseaccounts' or type =~ 'microsoft.sql/servers/databases' or type =~ 'microsoft.dbformysql/servers' or type =~ 'microsoft.sql/servers' | extend type = case( type =~ 'microsoft.documentdb/databaseaccounts', 'CosmosDB', type =~ 'microsoft.sql/servers/databases', 'SQL DBs', type =~ 'microsoft.dbformysql/servers', 'MySQL', type =~ 'microsoft.sql/servers', 'SQL Servers', strcat("Not Translated: ", type)) | where type !has "Not Translated" | summarize count() by type "@ Return $Query } Function AzStorageAccounts-Query-AzARG { $Query = @" resources | where type == '' "@ Return $Query } Function AzStorageAccountsByLocation-Query-AzARG { $Query = @" where type =~ '' | summarize count() by location| project Location=['location'], Total=count_ "@ Return $Query } Function AzStorageAccountsHttpsOnlyCountBySubscription-Query-AzARG { $Query = @" extend HTTPSOnly = aliases['Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly'] | where type =~ '' and HTTPSOnly =~ 'false' | summarize count() by subscriptionId | project subscriptionId, Total=count_ "@ Return $Query } Function AzStorageAccountsOverview-Query-AzARG { $Query = @" extend HTTPSOnly = aliases['Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly'] | extend Type = aliases['Microsoft.Storage/storageAccounts/accountType'], BlobEncryption = aliases['Microsoft.Storage/storageAccounts/enableBlobEncryption'], FileEncryption = aliases['Microsoft.Storage/storageAccounts/enableFileEncryption'] | where type =~ '' | project Name=['name'], Kind=['kind'], Type, HTTPSOnly, BlobEncryption, FileEncryption, Location=['location'], SubscriptionID=['subscriptionId'] "@ Return $Query } Function AzSubscriptions-Query-AzARG { $Query = @" ResourceContainers | where type =~ 'microsoft.resources/subscriptions' | extend status = properties.state | project id, subscriptionId, name, status | order by id, subscriptionId desc "@ Return $Query } Function AzSubscriptionsCountByMG-Query-AzARG { $Query = @" resourcecontainers | where type == 'microsoft.resources/subscriptions' | project subscriptionName = name, managementgroups = (properties.managementGroupAncestorsChain) | mv-expand managementgroups | summarize count() by tostring(managementgroups.displayName) | order by count_ desc "@ Return $Query } Function AzSubscriptionsCountByResourceType-Query-AzARG { $Query = @" resources | join kind=leftouter (resourcecontainers | where type == 'microsoft.resources/subscriptions' | project subscriptionName=name, subscriptionId) on subscriptionId | where subscriptionName != "" | summarize count() by type, subscriptionName "@ Return $Query } Function AzSubscriptionsWithTags-Query-AzARG { $Query = @" resourcecontainers | where type == 'microsoft.resources/subscriptions' | project id,name,type,location,subscriptionId,tags | mvexpand tags | extend tagKey = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagKey]) "@ Return $Query } Function AzTagsKeyValuePairs-Query-AzARG { $Query = @" resources | where isnotempty(tags) | where tags !has "hidden-" | mv-expand tags | extend tagName = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagName]) "@ Return $Query } Function AzTagsResourcesCountByTagName-Query-AzARG { $Query = @" resources | where isnotempty(tags) | where tags !has "hidden-" | mv-expand tags | extend tagName = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagName]) | summarize count() by tagName | order by ['count_'] desc "@ Return $Query } Function AzTagsResourcesCountByTagNameValue-Query-AzARG { $Query = @" resources | where isnotempty(tags) | where tags !has "hidden-" | mv-expand tags | extend tagName = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagName]) | summarize count() by tagName, tagValue | order by ['count_'] desc "@ Return $Query } Function AzTagsResourceTypesCountByTagNameValue-Query-AzARG { $Query = @" resources | where isnotempty(tags) | where tags !has "hidden-" | mv-expand tags | extend tagName = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagName]) | summarize count() by type, tagName, tagValue | order by ['count_'] desc "@ Return $Query } Function AzUmcAvailableUpdatesByUpdateCategory-Query-AzARG { $Query = @" patchassessmentresources | where type !has "softwarepatches" | extend prop = parse_json(properties) | extend lastTime = properties.lastModifiedDateTime | extend updateRollupCount = prop.availablePatchCountByClassification.updateRollup, featurePackCount = prop.availablePatchCountByClassification.featurePack, servicePackCount = prop.availablePatchCountByClassification.servicePack, definitionCount = prop.availablePatchCountByClassification.definition, securityCount =, criticalCount = prop.availablePatchCountByClassification.critical, updatesCount = prop.availablePatchCountByClassification.updates, toolsCount =, otherCount = prop.availablePatchCountByClassification.other, OS = prop.osType | project lastTime, id, OS, updateRollupCount, featurePackCount, servicePackCount, definitionCount, securityCount, criticalCount, updatesCount, toolsCount, otherCount "@ Return $Query } Function AzUmcInstallationsCount-Query-AzARG { $Query = @" patchinstallationresources | where type !has "softwarepatches" | extend machineName = tostring(split(id, "/", 8)), resourceType = tostring(split(type, "/", 0)), tostring(rgName = split(id, "/", 4)) | extend prop = parse_json(properties) | extend lTime = todatetime(prop.lastModifiedDateTime), OS = tostring(prop.osType), installedPatchCount = tostring(prop.installedPatchCount), failedPatchCount = tostring(prop.failedPatchCount), pendingPatchCount = tostring(prop.pendingPatchCount), excludedPatchCount = tostring(prop.excludedPatchCount), notSelectedPatchCount = tostring(prop.notSelectedPatchCount) | where lTime > ago(7d) | project lTime, RunID=name,machineName, rgName, resourceType, OS, installedPatchCount, failedPatchCount, pendingPatchCount, excludedPatchCount, notSelectedPatchCount "@ Return $Query } Function AzUmcMaintenanceRunVM-Query-AzARG { $Query = @" maintenanceresources | where ['id'] contains "/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/microsoft.compute/virtualmachines/<vm-name>" //VM Id here | where ['type'] == "microsoft.maintenance/applyupdates" | where properties.maintenanceScope == "InGuestPatch" "@ Return $Query } Function AzUmcPatchInstallationsLinuxOS { $Query = @" patchinstallationresources | where type has "softwarepatches" and properties has "version" | extend machineName = tostring(split(id, "/", 8)), resourceType = tostring(split(type, "/", 0)), tostring(rgName = split(id, "/", 4)), tostring(RunID = split(id, "/", 10)) | extend prop = parse_json(properties) | extend lTime = todatetime(prop.lastModifiedDateTime), patchName = tostring(prop.patchName), version = tostring(prop.version), installationState = tostring(prop.installationState), classifications = tostring(prop.classifications) | where lTime > ago(7d) | project lTime, RunID, machineName, rgName, resourceType, patchName, version, classifications, installationState | sort by RunID "@ Return $Query } Function AzUmcPatchInstallationsWindowsOS-Query-AzARG { $Query = @" patchinstallationresources | where type has "softwarepatches" and properties !has "version" | extend machineName = tostring(split(id, "/", 8)), resourceType = tostring(split(type, "/", 0)), tostring(rgName = split(id, "/", 4)), tostring(RunID = split(id, "/", 10)) | extend prop = parse_json(properties) | extend lTime = todatetime(prop.lastModifiedDateTime), patchName = tostring(prop.patchName), kbId = tostring(prop.kbId), installationState = tostring(prop.installationState), classifications = tostring(prop.classifications) | where lTime > ago(7d) | project lTime, RunID, machineName, rgName, resourceType, patchName, kbId, classifications, installationState | sort by RunID "@ Return $Query } Function Query-AzResourceGraph { <# .SYNOPSIS Runs query against Azure Resource Graph and returns the result .DESCRIPTION You can run custom query or pre-defined queries against Azure Resource Graph. Query can be targetted on Tenant, MG or Subscription scope. .PARAMETER Scope This parameter defines the scope where necessary PS modules will be installed (if missing). Possible values are AllUsers (default) or CurrentUser .PARAMETER Query This parameter is the entire Query, which must be run against Azure Resource Graph .PARAMETER QueryScope You can choose between MG, Tenant or Subscription (or Sub as alias). If you don't choose Scope, then tenant is default. .PARAMETER Target Syntax if you chose -QueryScope MG You will need to define -Target <mg-name> (Ex: -Target mg-2linkit) This MG will be the root for query and all sub-MGs will be included Syntax if you chose -QueryScope SubScription: You will need to define -Target <subscription name or id> (Ex: -Target MySub) Syntax if you chose -QueryScope Tenant: Search will automatically be done in the entire tenant .PARAMETER First This parameter will take only the first x records .PARAMETER Skip This parameter will skip x records and then show the remaining .PARAMETER SelectQuery This switch will list all available queries in a GUI to select from .PARAMETER ShowQueryOnly This switch will only show the query - not run the query ! .PARAMETER InstallAutoUpdateCleanupOldVersions This switch will install Az.Accounts, Az.ResourceGraph and AzResourceGraphPS (if missing), auto-update PS modules Az.ResourceGraph and AzResourceGraphPS (if updates available) and remove older versions of Az.ResourceGraph and AzResourceGraphPS (if found) NOTE: Parameter will NOT update or remove Az.Accounts-module .PARAMETER AzAppId This is the Azure app id .PARAMETER AzAppSecret This is the secret of the Azure app .PARAMETER TenantId This is the Azure AD tenant id .INPUTS Yes, you can pipe query data into function .OUTPUTS Results from Azure Resource Graph, based on the defined parameters. .LINK .EXAMPLE # Install if missing + Update all modules to latest version + clean-up old modules if found Query-AzResourceGraph -InstallAutoUpdateCleanupOldVersions -Scope AllUsers # Run pre-defined query against tenant - and output result to screen AzMGsWithParentHierarchy-Query-AzARG | Query-AzResourceGraph -QueryScope Tenant # Run pre-defined query against MG "2linkit"- and output result to screen AzRGs-Query-AzARG | Query-AzResourceGraph -QueryScope MG -Target "2linkit" # Run pre-defined query and return result to $Result-variable $Result = AzRGs-Query-AzARG | Query-AzResourceGraph -QueryScope MG -Target "2linkit" $Result | fl # Run Custom Query and return result to $Result-variable $Query = @" resourcecontainers | where type == '' | extend mgParent = properties.details.managementGroupAncestorsChain | mv-expand with_itemindex=MGHierarchy mgParent | project id, name, properties.displayName, mgParent, MGHierarchy, | sort by MGHierarchy asc "@ $Result = $Query | Query-AzResourceGraph -QueryScope "Tenant" $Result | fl # Show query only AzMGsWithParentHierarchy-Query-AzARG | Query-AzResourceGraph -ShowQueryOnly # Select from list of pre-defined queries Query-AzResourceGraph -SelectQuery # Run query using unattended login with AzApp & AzSecret # Variables $AzAppId = "xxxx" $AzAppSecret = "xxxx" $TenantId = "xxxx" # Disconnect existing sessions Disconnect-AzAccount AzRGs-Query-AzARG | Query-AzResourceGraph -QueryScope "Tenant" -AzAppId $AzAppId ` -AzAppSecret $AzAppSecret ` -TenantId $TenantId ` # Get all Azure Resource Groups in specific subscription - show only first 2 RGs AzRGs-Query-AzARG | Query-AzResourceGraph -QueryScope Subscription ` -Target "fce4f282-fcc6-43fb-94d8-bf1701b862c3" ` -First 2 # Get all management groups under management group '2linkit' - skip first 3 AzMGsWithParentHierarchy-Query-AzARG | Query-AzResourceGraph -QueryScope "MG" ` -Target "2linkit" ` -Skip 3 # Get all management groups under management group '2linkit' - only show first 3 AzMGsWithParentHierarchy | Query-AzResourceGraph -QueryScope "MG" ` -Target "2linkit" ` -First 3 #> [CmdletBinding()] param( [Parameter(ValueFromPipeline)] [string]$Query, [Parameter()] [ValidateSet("Tenant","MG","Subscription")] $QueryScope = "Tenant", [Parameter()] [string]$Target = $null, # Only needed for MG or Subscription [Parameter()] [string]$First, [Parameter()] [string]$Skip, [Parameter()] [switch]$SelectQuery = $false, [Parameter()] [switch]$ShowQueryOnly = $false, [Parameter()] [string]$AzAppId, [Parameter()] [string]$AzAppSecret, [Parameter()] [string]$TenantId, [Parameter()] [switch]$InstallAutoUpdateCleanupOldVersions = $false, [Parameter()] [ValidateSet("AllUsers","CurrentUser")] $Scope = "AllUsers" ) #--------------------------------------------- # Header #--------------------------------------------- Write-host "" Write-host "----------------------------------------------------------------------" Write-Host "AzResourceGraphPS | Morten Knudsen, Microsoft MVP (@knudsenmortendk)" -ForegroundColor Green Write-Host "" Write-host "Github repository:" Write-host "----------------------------------------------------------------------" #-------------------------------------------------------------------------- # Check Prereq for PS Module #-------------------------------------------------------------------------- If ($InstallAutoUpdateCleanupOldVersions -eq $true) { ##################################################################### # Az.ResourceGraph ##################################################################### $Module = "Az.ResourceGraph" $ModuleCheck = Get-Module -Name $Module -ListAvailable -ErrorAction SilentlyContinue If (!($ModuleCheck)) { # check for NuGet package provider [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Write-host "" Write-host "Checking Powershell PackageProvider NuGet ... Please Wait !" if (Get-PackageProvider -ListAvailable -Name NuGet -ErrorAction SilentlyContinue -WarningAction SilentlyContinue) { Write-Host "OK - PackageProvider NuGet is installed" } else { try { Write-Host "Installing NuGet package provider .. Please Wait !" Install-PackageProvider -Name NuGet -Scope $Scope -Confirm:$false -Force } catch [Exception] { $_.message exit } } Write-host "" Write-host "Installing latest version of $($Module) from PsGallery in scope $($Scope) .... Please Wait !" Install-module -Name $Module -Repository PSGallery -Force -Scope $Scope import-module -Name $Module -Global -force -DisableNameChecking -WarningAction SilentlyContinue } Else { ##################################### # Check for any available updates ##################################### # Current version $InstalledVersions = Get-module $Module -ListAvailable $LatestVersion = $InstalledVersions | Sort-Object Version -Descending | Select-Object -First 1 $CleanupVersions = $InstalledVersions | Where-Object { $_.Version -ne $LatestVersion.Version } # Online version in PSGallery (online) $Online = Find-Module -Name $Module -Repository PSGallery # Compare versions if ( ([version]$Online.Version) -gt ([version]$LatestVersion.Version) ) { Write-host "" Write-host "Newer version ($($Online.version)) of $($Module) was detected in PSGallery" Write-host "" Write-host "Updating to latest version $($Online.version) of $($Module) from PSGallery ... Please Wait !" remove-module $Module -Force Update-module $Module -Force } Else { # No new version detected ... continuing ! Write-host "" Write-host "OK - Running latest version ($($LatestVersion.version)) of $($Module)" } ##################################### # Clean-up older versions, if found ##################################### $InstalledVersions = Get-module $Module -ListAvailable $LatestVersion = $InstalledVersions | Sort-Object Version -Descending | Select-Object -First 1 $CleanupVersions = $InstalledVersions | Where-Object { $_.Version -ne $LatestVersion.Version } Write-host "" ForEach ($ModuleRemove in $CleanupVersions) { Write-Host "Removing older version $($ModuleRemove.Version) of $($ModuleRemove.Name) ... Please Wait !" Uninstall-module -Name $ModuleRemove.Name -RequiredVersion $ModuleRemove.Version -Force -ErrorAction SilentlyContinue # Removing left-overs if uninstall doesn't complete task $ModulePath = (get-item $ModuleRemove.Path -ErrorAction SilentlyContinue).DirectoryName if ( ($ModulePath) -and (Test-Path $ModulePath) ) { $Result = takeown /F $ModulePath /A /R $Result = icacls $modulePath /reset $Result = icacls $modulePath /grant Administrators:'F' /inheritance:d /T $Result = Remove-Item -Path $ModulePath -Recurse -Force -Confirm:$false } } } #If (!($ModuleCheck)) ##################################################################### # Az.Accounts ##################################################################### $Module = "Az.Accounts" $ModuleCheck = Get-Module -Name $Module -ListAvailable -ErrorAction SilentlyContinue If (!($ModuleCheck)) { Write-host "" Write-host "Installing latest version of $($Module) from PsGallery in scope $($Scope) .... Please Wait !" Install-module -Name $Module -Repository PSGallery -Force -Scope $Scope import-module -Name $Module -Global -force -DisableNameChecking -WarningAction SilentlyContinue } ##################################################################### # AzResourceGraphPS ##################################################################### $Module = "AzResourceGraphPS" $ModuleCheck = Get-Module -Name $Module -ListAvailable -ErrorAction SilentlyContinue If (!($ModuleCheck)) { Write-host "" Write-host "Installing latest version of $($Module) from PsGallery in scope $($Scope) .... Please Wait !" Install-module -Name $Module -Repository PSGallery -Force -Scope $Scope import-module -Name $Module -Global -force -DisableNameChecking -WarningAction SilentlyContinue } Else { ##################################### # Check for any available updates ##################################### # Current version $InstalledVersions = Get-module $Module -ListAvailable $LatestVersion = $InstalledVersions | Sort-Object Version -Descending | Select-Object -First 1 $CleanupVersions = $InstalledVersions | Where-Object { $_.Version -ne $LatestVersion.Version } # Online version in PSGallery (online) $Online = Find-Module -Name $Module -Repository PSGallery # Compare versions if ( ([version]$Online.Version) -gt ([version]$LatestVersion.Version) ) { Write-host "" Write-host "Newer version ($($Online.version)) of $($Module) was detected in PSGallery" Write-host "" Write-host "Updating to latest version $($Online.version) of $($Module) from PSGallery ... Please Wait !" remove-module $Module -Force Update-module $Module -Force } Else { # No new version detected ... continuing ! Write-host "" Write-host "OK - Running latest version ($($LatestVersion.version)) of $($Module)" } ##################################### # Clean-up older versions, if found ##################################### $InstalledVersions = Get-module $Module -ListAvailable $LatestVersion = $InstalledVersions | Sort-Object Version -Descending | Select-Object -First 1 $CleanupVersions = $InstalledVersions | Where-Object { $_.Version -ne $LatestVersion.Version } Write-host "" ForEach ($ModuleRemove in $CleanupVersions) { Write-Host "Removing older version $($ModuleRemove.Version) of $($ModuleRemove.Name) ... Please Wait !" Uninstall-module -Name $ModuleRemove.Name -RequiredVersion $ModuleRemove.Version -Force -ErrorAction SilentlyContinue # Removing left-overs if uninstall doesn't complete task $ModulePath = (get-item $ModuleRemove.Path -ErrorAction SilentlyContinue).DirectoryName if ( ($ModulePath) -and (Test-Path $ModulePath) ) { $Result = takeown /F $ModulePath /A /R $Result = icacls $modulePath /reset $Result = icacls $modulePath /grant Administrators:'F' /inheritance:d /T $Result = Remove-Item -Path $ModulePath -Recurse -Force -Confirm:$false } } } #If (!($ModuleCheck)) } #If ($InstallAutoUpdateCleanupOldVersions -eq $true) #-------------------------------------------------------------------------- # Checking Prereq for Query #-------------------------------------------------------------------------- If ( ([string]::IsNullOrWhitespace($Query)) -and ([string]::IsNullOrWhitespace($InstallAutoUpdateCleanupOldVersions)) ) { get-help Query-AzResourceGraph -full Break } If ( ($QueryScope -eq "MG") -and (([string]::IsNullOrWhitespace($Target))) ) { Write-host "When -QueryScope is MG, you need to define target using -Target <MG Name>" -ForegroundColor Red Break } If ( ($QueryScope -eq "Subscription") -and (([string]::IsNullOrWhitespace($Target))) ) { Write-host "When -QueryScope is Subscription, you need to define target using -Target <Subscription Name/Id>" -ForegroundColor Red Break } #-------------------------------------------------------------------------- # Connection #-------------------------------------------------------------------------- # Check current AzContext $AzContext = Get-AzContext If ($AzContext -eq $null) # empty { If ($AzAppId) { $AzAppSecretSecure = $AzAppSecret | ConvertTo-SecureString -AsPlainText -Force $SecureCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AzAppId, $AzAppSecretSecure Connect-AzAccount -ServicePrincipal -Credential $SecureCreds -Tenant $TenantId -WarningAction SilentlyContinue } Else { Connect-AzAccount -WarningAction SilentlyContinue } } #-------------------------------------------------------------------------- # Show Query Only #-------------------------------------------------------------------------- If ($ShowQueryOnly) { Write-host "Query, which will be run against Azure Resource Graph: " Write-host "" Write-host "$($Query)" -ForegroundColor Yellow Write-host "" Write-host "---------------------------------------------------------------------" Write-host "" Break } #-------------------------------------------------------------------------- # Select built-in queries using GUI #-------------------------------------------------------------------------- If ($SelectQuery) { $SelectedQuery = Get-Command -Name "*-Query-AzARG" -ListImported | select Name | Out-GridView -Title 'Choose a predefined query' -PassThru Write-host "" Write-host "Selected Query:" Write-host " $($SelectedQuery.Name)" -ForegroundColor Yellow Write-host "" # Run the function $Query = & $SelectedQuery.Name } #-------------------------------------------------------------------------- # First #-------------------------------------------------------------------------- If ($First) { Write-host "" Write-host "Scoping - Only First Number of Records:" Write-host " $($First)" -ForegroundColor Yellow Write-host "" } #-------------------------------------------------------------------------- # Skip #-------------------------------------------------------------------------- If ($Skip) { Write-host "" Write-host "Scoping - Skip Number of Records:" Write-host " $($Skip)" -ForegroundColor Yellow Write-host "" } #-------------------------------------------------------------------------- # Running Query and returning result #-------------------------------------------------------------------------- If (!([string]::IsNullOrWhitespace($Query))) { Write-host "Query Scope:" Write-host " $($QueryScope)" -ForegroundColor Yellow Write-host "" If ($Target) { Write-host "Target:" Write-host " $($Target)" -ForegroundColor Yellow Write-host "" } Write-host "Query, which will be run against Azure Resource Graph: " Write-host "" Write-host "$($Query)" -ForegroundColor Yellow Write-host "" Write-host "---------------------------------------------------------------------" Write-host "" Write-host "Running Query against Azure Resource Group ..." $ReturnData = @() $pageSize = 1000 $iteration = 0 $searchParams = @{ Query = $Query First = $pageSize } If ($QueryScope -eq "MG") # Management group(s) to run query against { do { $iteration += 1 $pageResults = Search-AzGraph -ManagementGroup $Target @searchParams $searchParams.Skip += $pageResults.Count $ReturnData += $pageResults } while ($pageResults.Count -eq $pageSize) } ElseIf ($QueryScope -eq "Subscription") # 