Invoke-AzHealthCheck

1.2.0

Invoke-AzHealthCheck scans every Azure subscription available in the current login context and
produces a single self-contained HTML dashboard covering: governance (RG locks), backup coverage,
compute hygiene (legacy disks, high CPU, stopped VMs), storage risks (TLS, public access, soft delete),
network security (NSG gaps, exposed RDP/SSH), Key Vault configuration and
Invoke-AzHealthCheck scans every Azure subscription available in the current login context and
produces a single self-contained HTML dashboard covering: governance (RG locks), backup coverage,
compute hygiene (legacy disks, high CPU, stopped VMs), storage risks (TLS, public access, soft delete),
network security (NSG gaps, exposed RDP/SSH), Key Vault configuration and expiry, Activity Log
diagnostics, SQL inventory, Azure Policy assignments, Defender for Cloud plan coverage, resource
tagging gaps, public-facing resources (App Services, Storage, SQL with public network access enabled),
and privileged identity (permanent Owner/Contributor assignments for users/groups without PIM).

Show more

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Script -Name Invoke-AzHealthCheck

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Package Details

Author(s)

  • Joao Paulo Costa

Tags

getpractical Azure HealthCheck Governance Report HTML Cloud Security

Functions

Write-Info ConvertTo-PlainString HtmlEncode SafeHtmlId New-NoteHtml Get-Percentile New-TableHtml Get-SubScore Get-PercentPair

Dependencies

This script has no dependencies.

Release Notes

v1.0.0 - Initial release
v1.0.1 - Fix the broken lines (ASCII)
v1.0.2 - Update HTML entity for no rows message
v1.0.3 - Fix formatting and punctuation in health check report
v1.0.4 - Fix formatting and punctuation in health check report
v1.0.5 - Add checks: Activity Log diagnostic settings (any destination), SQL instances inventory (Azure SQL, Managed Instance, SQL on VM), and Azure Policy assignments inventory
v1.0.6 - Security: HTML-encode table output to mitigate XSS; Reliability: make Policy assignment parsing forward-compatible + suppress Az.Policy breaking-change warning; Add compute check: VMs with high CPU (P95 over last 7 days)
v1.0.7 - Fix: replace all non-ASCII characters (en/em dashes, ellipsis, <= symbol) with ASCII equivalents for PS Gallery compatibility
v1.0.8 - Suppress Az module warnings: Get-AzSubscription tenant auth, Get-AzMetric DetailedOutput deprecation, Get-AzDiagnosticSetting breaking-change, Az.Network unapproved-verb noise
v1.0.9 - Fix tenant auth warning properly: scope Get-AzSubscription to the authenticated tenant via -TenantId from Get-AzContext
v1.1.0 - Add checks: Defender for Cloud plan coverage (Standard vs Free), stopped VMs (OS-stopped but not deallocated -- still incurring compute charges), and resource tagging gaps (RGs and VMs with no tags, or missing required tags via -RequiredTags param)
v1.2.0 - Security: public-facing resources (App Services, Storage Accounts, and SQL servers/Managed Instances with public network access enabled) and privileged identity (permanent Owner/Contributor role assignments for users and groups that should be managed via PIM)

FileList

Version History

Version Downloads Last updated
1.2.0 (current version) 5 4/9/2026
1.1.0 5 4/9/2026
1.0.9 8 4/2/2026
1.0.8 3 4/2/2026
1.0.7 8 4/2/2026
1.0.6 8 4/2/2026
1.0.5 18 3/3/2026
1.0.4 58 11/29/2025
1.0.3 7 11/28/2025
1.0.2 8 11/28/2025
1.0.1 15 11/28/2025
1.0.0 8 11/28/2025
Show more