Azure Quick Review

• 1: Overview
• 2: Install
• 3: Usage
• 4: Recommendations
• 5: Troubleshooting & Support
• 6: Contribution Guidelines
• 7: Resources & References
• 8: Related Projects

1 - Overview

Azure Quick Review (azqr) is a powerful command-line interface (CLI) tool that specializes in analyzing Azure resources to ensure compliance with Azure’s best practices and recommendations. Its main objective is to offer users a comprehensive overview of their Azure resources, allowing them to easily identify any non-compliant configurations or areas for improvement.

Azure Quick Review Recommendations

Azure Quick Review (azqr) scans your resources with 2 types of recommendations:

• Azure Resource Graph (ARG) queries provided by the Azure Proactive Resiliency Library v2 (APRL) project
• Azure Resource Manager (ARM) rules built with the Azure Golang SDK
• Azure Orphan Resources (ARG) queries provided by the Azure Orphan Resources project

To learn more about the recommendations used by Azure Quick Review (azqr), you can refer to the documentation available here.

Scan Results

The output generated by Azure Quick Review (azqr) is written by default to an Excel file, which contains the following sheets:

• Recommendations: a list with all recommendations with the number of resources that are impacted. You can use this table as an action plan to improve the compliance of your resources.
• ImpactedResources: a list with all resources that are impacted. You can use this table to identify resources that have issues that need to be addressed.
• ResourceTypes: a list of impacted resource types.
• Inventory: a list of all resources scanned by the tool. Here you’ll find details such as SKU, Tier, Kind or calculated SLA.
• Advisor: a list of recommendations provided by Azure Advisor.
• DefenderRecommendations: a list of recommendations provided by Microsoft Defender for Cloud.
• OutOfScope: a list of resources that were not scanned.
• Defender: a list of Microsoft Defender for Cloud plans and their tiers.
• Costs: a list of costs associated with the scanned subscription for the last 3 months.

By default, Azure Quick Review (azqr) obfuscates the Subscription Ids in the output to ensure the protection of sensitive information and maintain data privacy and security. If you want to display the Subscription Ids without obfuscation, you can use the --mask=false flag when executing the tool.

Azure Quick Review can also generate an csv files with the same information as the excel. To generate the csv files, you can use the --csv flag when running the tool.

A Power BI template is also available to help you visualize the results generated by Azure Quick Review. You can create the template running Azure Quick Review with the pbi command and then loading the excel file generated by the tool.

Supported Azure Services

Azure Quick Review (azqr) currently supports the following Azure services:

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct

Trademark Notice

Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.

2 - Install

Install on Linux or Azure Cloud Shell

latest_azqr=$(curl -sL https://api.github.com/repos/Azure/azqr/releases/latest | jq -r ".tag_name" | cut -c1-)
wget https://github.com/Azure/azqr/releases/download/$latest_azqr/azqr-ubuntu-latest-amd64 -O azqr
chmod +x azqr

Install on Windows

Use winget:

winget install azqr

or download the executable file:

$latest_azqr=$(iwr https://api.github.com/repos/Azure/azqr/releases/latest).content | convertfrom-json | Select-Object -ExpandProperty tag_name
iwr https://github.com/Azure/azqr/releases/download/$latest_azqr/azqr-windows-latest-amd64.exe -OutFile azqr.exe

Install on Mac

Use homebrew:

brew install azqr

or download the latest release from here.

3 - Usage

Authorization

Azure Quick Review (azqr) requires the following permissions:

• Reader over Subscription or Management Group scope

Authentication

Azure Quick Review (azqr) requires the following permissions:

• Reader over Subscription or Management Group scope

Credential Chain Configuration

Azure Quick Review (azqr) uses the Azure SDK’s DefaultAzureCredential which automatically selects the most appropriate credential based on your environment. You can customize the credential chain behavior by setting the AZURE_TOKEN_CREDENTIALS environment variable.

Development environments: Set AZURE_TOKEN_CREDENTIALS=dev to use Azure CLI (az) or Azure Developer CLI (azd) credentials.

Production environments: Set AZURE_TOKEN_CREDENTIALS=pro to use environment variables, workload identity, or managed identity credentials.

Service Principal Authentication

Set the following environment variables:

Powershell:

$env:AZURE_CLIENT_ID = '<service-principal-client-id>'
$env:AZURE_CLIENT_SECRET = '<service-principal-client-secret>'
$env:AZURE_TENANT_ID = '<tenant-id>'

Bash:

export AZURE_CLIENT_ID='<service-principal-client-id>'
export AZURE_CLIENT_SECRET='<service-principal-client-secret>'
export AZURE_TENANT_ID='<tenant-id>'

Authenticate with a Managed Identity

Set the following environment variables:

Powershell:

$env:AZURE_CLIENT_ID = '<managed-identity-client-id>'
$env:AZURE_TENANT_ID = '<tenant-id>'

Bash:

export AZURE_CLIENT_ID='<managed-identity-client-id>'
export AZURE_TENANT_ID='<tenant-id>'

Authenticate with Azure CLI

Authenticate to Azure:

az login

Scan Azure Resources

• Scan All Resources

  azqr scan
  

• Scan a Management Group

  azqr scan --management-group-id <management_group_id>
  

• Scan a Subscription

  azqr scan --subscription-id <subscription_id>
  

• Scan a Resource Group

  azqr scan --subscription-id <subscription_id> --resource-group <resource_group_name>
  

Advanced Filtering

You can configure Azure Quick Review to include or exclude specific subscriptions or resource groups and also exclude services or recommendations. To do so, create a yaml file with the following format:

azqr:
  include:
    subscriptions:
      - <subscription_id> # format: <subscription_id>
    resourceGroups:
      - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
    resourceTypes:
      - <resource type abbreviation> # format: Abbreviation of the resource type. For example: "vm" for "Microsoft.Compute/virtualMachines"
  exclude:
    subscriptions:
      - <subscription_id> # format: <subscription_id>
    resourceGroups:
      - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
    services:
      - <service_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/<service_provider>/<service_name>
    recommendations:
      - <recommendation_id> # format: <recommendation_id>

Then run the scan with the --filters flag:

./azqr scan --filters <path_to_yaml_file>

Check the rules to get the recommendation ids.

Check the overview to get the resource type abbreviations.

File Outputs

Currently Azure Quick Review supports 3 types of file outputs: xlsx (default), csv, json

xlsx

xlsx is the default output format.

Check the overview to get the more information.

csv

By default azqr will create an xlsx document, However if you need to export to csv you can use the following flag: --csv

Example:

azqr scan --csv

The scan will generate 9 csv files:

<file-name>.advisor.csv
<file-name>.costs.csv
<file-name>.defender.csv
<file-name>.defenderRecommendations.csv
<file-name>.impacted.csv
<file-name>.inventory.csv
<file-name>.outofscope.csv
<file-name>.recommendations.csv
<file-name>.resourceType.csv

- json

By default azqr will create an xlsx document, However if you need to export to json you can use the following flag: --json

Example:

azqr scan --json

The scan will generate a single consolidated json file:

<file-name>.json

The JSON file contains all data sections in a single consolidated structure:

{
    "recommendations": [...],
    "impacted": [...],
    "resourceType": [...],
    "inventory": [...],
    "defender": [...],
    "defenderRecommendations": [...],
    "advisor": [...],
    "costs": [...],
    "outOfScope": [...]
}

Changing the Output File Name

You can change the output file name by using the --output-file or -o flag:

Powershell:

$timestamp = Get-Date -Format 'yyyyMMddHHmmss'
azqr scan --output-file "azqr_action_plan_$timestamp"

Bash:

timestamp=$(date '+%Y%m%d%H%M%S')
azqr scan --output-file "azqr_action_plan_$timestamp"

By default, the output file name is azqr_action_plan_YYYY_MM_DD_THHMMSS.

Help

You can get help for azqr commands by running:

azqr --help

4 - Recommendations

Azure Quick Review checks the following recommendations for Azure resources. The recommendations are categorized based on their impact and category:

## Recommendations List

Total Supported Azure Resource Types: 88

5 - Troubleshooting & Support

If you encounter any issue while using Azure Quick Review (azqr), please set the AZURE_SDK_GO_LOGGING environment variable to all, run the tool with the --debug flag and then share the console output with us by filing a new issue.

Support

This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please check our troubleshooting guide.

Please search the existing issues before filing new issues to avoid duplicates.

• For new issues, file your bug or feature request as a new issue.
• For help, discussion, and support questions about using this project, join or start a discussion.

Support for this project / product is limited to the resources listed above.

6 - Contribution Guidelines

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Contributing to Documentation

Below are the steps and required packages to get the Azure Quick Review Hugo site to build and run locally.

• Ensure that you have the following packages installed locally.

  • git
  • hugo extended
  • nodejs

• Fork the azqr repository, clone locally and then head to the docs folder

  cd .\azqr\docs
  

• Execute the Node Module installer

  npm install
  

• Once this has finish you can execute the Hugo Server

  hugo server
  

7 - Resources & References

Microsoft Documentation

• Azure Well-Architected Framework
• Azure Availability Zones
• Azure Service Level Agreements
• Azure Diagnostic Settings
• Azure Private Link
• Azure Advisor
• Microsoft Defender for Cloud
• Azure Cost Management + Billing

Related Projects

• Azure Proactive Resiliency Library (APRL)
• Azure Orphan Resources
• review-checklist
• PSRule.Rules.Azure

8 - Related Projects

AZQR and APRL

As of version 2.0.0-preview, Azure Quick Review (azqr) includes all Azure Resource Graph queries provided by the the Azure Proactive Resiliency Library (APRL), which are used to identify non-compliant resources.

Azure Quick Review (azqr) extends APRL by providing per service instance SLAs, Diagnostic Settings detection and more. Therefore, scan results display AZQR or APRL, to indicate the source of the recommendation.

APRL provides a curated catalog of resiliency recommendations for workloads running in Azure. Many of the recommendations contain supporting Azure Resource Graph (ARG) queries

AZQR and Azure Orphan Resources

As of version 2.4.0 Azure Quick Review (azqr) includes all Azure Resource Graph queries provided by the the Azure Orphan Resources project

AZQR compared to Azure Review Checklists and PSRule.Rules.Azure

Azure Quick Review (azqr) was created to address a very specific need we had back in 2022. Initially, we had to run three assessments to get a clear picture of various solutions in terms of SLAs, use of Availability Zones, and Diagnostic Settings. At the time, we were not aware of the existence of the review-checklist or PSRule.Rules.Azure.

When some of our peers saw the assessments we were able to deliver with the early bits of Azure Quick Review (azqr), they asked us to add more checks (recommendations) and change the output format from markdown to Excel.

As many of our customers work in restrictive environments, the ability to run a self-contained, cross-platform binary while using read-only permissions became a key feature.

Moving forward to 2023, based on great feedback from both peers and customers, we moved the original repo to the Azure organization, added support for more services, fixed some issues and even added a Power BI template.

In August 2024, we added all APRL recommendations to Azure Quick Review (azqr) and removed duplicates in favor of the ones already available as Azure Resource Graph queries.

When compared with PSRule.Rules.Azure, Azure Quick Review (azqr) only scans deployed Azure resources and provides recommendations based on the current state. Azure Quick Review (azqr) does not scan ARM templates or Bicep files.

When compared to the review-checklist, Azure Quick Review (azqr) also provides an actionable list of more than 400 recommendations (70+ Azure resource types), that can be used to improve the resiliency of your Azure solutions.