Authorization
Azure Quick Review (azqr) requires the following permissions:
- Reader over Subscription or Management Group scope
Authentication
Azure Quick Review (azqr) requires the following permissions:
- Reader over Subscription or Management Group scope
Credential Chain Configuration
Azure Quick Review (azqr) uses the Azure SDK’s DefaultAzureCredential which automatically selects the most appropriate credential based on your environment. You can customize the credential chain behavior by setting the AZURE_TOKEN_CREDENTIALS environment variable.
Development environments:
Set AZURE_TOKEN_CREDENTIALS=dev to use Azure CLI (az) or Azure Developer CLI (azd) credentials.
Production environments:
Set AZURE_TOKEN_CREDENTIALS=prod to use environment variables, workload identity, or managed identity credentials.
Service Principal Authentication
Set the following environment variables:
Powershell:
$env:AZURE_CLIENT_ID = '<service-principal-client-id>'
$env:AZURE_CLIENT_SECRET = '<service-principal-client-secret>'
$env:AZURE_TENANT_ID = '<tenant-id>'
Bash:
export AZURE_CLIENT_ID='<service-principal-client-id>'
export AZURE_CLIENT_SECRET='<service-principal-client-secret>'
export AZURE_TENANT_ID='<tenant-id>'
Authenticate with a Managed Identity
Set the following environment variables:
Powershell:
$env:AZURE_CLIENT_ID = '<managed-identity-client-id>'
$env:AZURE_TENANT_ID = '<tenant-id>'
Bash:
export AZURE_CLIENT_ID='<managed-identity-client-id>'
export AZURE_TENANT_ID='<tenant-id>'
Authenticate with Azure CLI
Authenticate to Azure:
az login
Cloud Configuration
Azure Quick Review (azqr) supports scanning resources in different Azure cloud environments. You can configure the target cloud using environment variables.
Predefined Cloud Environments
Set the AZURE_CLOUD environment variable to specify the Azure cloud environment:
Azure Public Cloud (default):
Powershell:
$env:AZURE_CLOUD = 'AzurePublic'
Bash:
export AZURE_CLOUD='AzurePublic'
Azure US Government Cloud:
Powershell:
$env:AZURE_CLOUD = 'AzureGovernment'
Bash:
export AZURE_CLOUD='AzureGovernment'
Azure China Cloud:
Powershell:
$env:AZURE_CLOUD = 'AzureChina'
Bash:
export AZURE_CLOUD='AzureChina'
Supported values for AZURE_CLOUD:
AzurePublic,public, or empty (default)AzureGovernment,AzureUSGovernment, orusgovernmentAzureChinaorchina
Custom Cloud Configuration
For custom or sovereign cloud environments, you can specify custom endpoints that will override the predefined cloud settings:
Powershell:
$env:AZURE_AUTHORITY_HOST = 'https://login.microsoftonline.custom/'
$env:AZURE_RESOURCE_MANAGER_ENDPOINT = 'https://management.custom.azure.com'
$env:AZURE_RESOURCE_MANAGER_AUDIENCE = 'https://management.core.custom.azure.com/'
Bash:
export AZURE_AUTHORITY_HOST='https://login.microsoftonline.custom/'
export AZURE_RESOURCE_MANAGER_ENDPOINT='https://management.custom.azure.com'
export AZURE_RESOURCE_MANAGER_AUDIENCE='https://management.core.custom.azure.com/'
Environment Variables:
AZURE_AUTHORITY_HOST: Custom Active Directory authority host (e.g.,https://login.microsoftonline.us/)AZURE_RESOURCE_MANAGER_ENDPOINT: Custom ARM endpoint (e.g.,https://management.usgovcloudapi.net)AZURE_RESOURCE_MANAGER_AUDIENCE: Custom ARM token audience (optional, e.g.,https://management.core.usgovcloudapi.net/)
Note: When custom endpoints are provided (both
AZURE_AUTHORITY_HOSTandAZURE_RESOURCE_MANAGER_ENDPOINT), they take priority over theAZURE_CLOUDsetting.
Scan Azure Resources
Scan All Resources
azqr scanScan a Management Group
azqr scan --management-group-id <management_group_id>Scan a Subscription
azqr scan --subscription-id <subscription_id>Scan a Resource Group
azqr scan --subscription-id <subscription_id> --resource-group <resource_group_name>
Advanced Filtering
You can configure Azure Quick Review to include or exclude specific subscriptions or resource groups and also exclude services or recommendations. To do so, create a yaml file with the following format:
azqr:
include:
subscriptions:
- <subscription_id> # format: <subscription_id>
resourceGroups:
- <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
resourceTypes:
- <resource type abbreviation> # format: Abbreviation of the resource type. For example: "vm" for "Microsoft.Compute/virtualMachines"
exclude:
subscriptions:
- <subscription_id> # format: <subscription_id>
resourceGroups:
- <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
services:
- <service_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/<service_provider>/<service_name>
recommendations:
- <recommendation_id> # format: <recommendation_id>
Then run the scan with the --filters flag:
./azqr scan --filters <path_to_yaml_file>
Check the rules to get the recommendation ids.
Check the overview to get the resource type abbreviations.
Optional Scans
Disabling Cost Analysis
If you encounter permission issues with cost analysis or want to skip it, use the -c=false or --costs=false flag:
azqr scan -c=false
Disabling Defender Scanning
To skip Microsoft Defender for Cloud scanning:
azqr scan --defender=false
Disabling Azure Advisor Scanning
To skip Azure Advisor recommendations:
azqr scan --advisor=false
Internal Plugins
Azure Quick Review includes specialized internal plugins for advanced analytics. Plugins can be run as standalone commands or integrated with full scans.
Running Plugins as Standalone Commands
For fast, focused analysis, run plugins as top-level commands:
# Run OpenAI throttling analysis
azqr openai-throttling
# Run carbon emissions analysis
azqr carbon-emissions
# Run zone mapping analysis
azqr zone-mapping
# With specific subscription
azqr zone-mapping --subscription-id <sub-id>
Standalone mode benefits:
- ⚡ Faster execution (skips resource scanning)
- 📊 Cleaner reports (plugin results only)
- 🎯 Focused analysis
Integrating Plugins with Full Scans
Run plugins alongside standard scanning:
# Single plugin with scan
azqr scan --plugin openai-throttling
# Multiple plugins with scan
azqr scan --plugin openai-throttling --plugin carbon-emissions --plugin zone-mapping
# With other options
azqr scan --subscription-id <sub-id> --plugin zone-mapping
Listing Available Plugins
View all registered plugins:
azqr plugins list
📖 Learn more: Internal Plugins Documentation
File Outputs
Currently Azure Quick Review supports 3 types of file outputs: xlsx (default), csv, json
xlsx
xlsx is the default output format.
Check the overview to get the more information.
csv
By default azqr will create an xlsx document, However if you need to export to csv you can use the following flag: --csv
Example:
azqr scan --csv
The scan will generate 11 csv files:
<file-name>.advisor.csv
<file-name>.arcSQL.csv
<file-name>.azurePolicy.csv
<file-name>.costs.csv
<file-name>.defender.csv
<file-name>.defenderRecommendations.csv
<file-name>.impacted.csv
<file-name>.inventory.csv
<file-name>.outofscope.csv
<file-name>.recommendations.csv
<file-name>.resourceType.csv
- json
By default azqr will create an xlsx document, However if you need to export to json you can use the following flag: --json
Example:
azqr scan --json
The scan will generate a single consolidated json file:
<file-name>.json
The JSON file contains all data sections in a single consolidated structure:
{
"recommendations": [...],
"impacted": [...],
"resourceType": [...],
"inventory": [...],
"advisor": [...],
"azurePolicy": [...],
"arcSQL": [...],
"defender": [...],
"defenderRecommendations": [...],
"costs": [...],
"outOfScope": [...]
}
Changing the Output File Name
You can change the output file name by using the --output-file or -o flag:
Powershell:
$timestamp = Get-Date -Format 'yyyyMMddHHmmss'
azqr scan --output-file "azqr_action_plan_$timestamp"
Bash:
timestamp=$(date '+%Y%m%d%H%M%S')
azqr scan --output-file "azqr_action_plan_$timestamp"
By default, the output file name is
azqr_action_plan_YYYY_MM_DD_THHMMSS.
Compare Scan Reports (compare command)
You can compare two azqr scan reports to identify differences in recommendations using the compare command:
# Compare two Excel reports
./azqr compare --file1 scan_before.xlsx --file2 scan_after.xlsx
# Save comparison results to a file
./azqr compare --file1 scan1.xlsx --file2 scan2.xlsx --output comparison.txt
MCP Server (Model Context Protocol)
Azure Quick Review includes a Model Context Protocol (MCP) server that enables AI assistants and tools to interact with azqr functionality. The MCP server can run in two modes:
stdio Mode (Default)
The stdio mode is designed for integration with tools like VS Code and AI assistants that communicate via standard input/output:
# Start MCP server in stdio mode
azqr mcp
This mode is typically used when azqr is configured as an MCP server in your IDE or AI assistant configuration.
HTTP/SSE Mode
The HTTP/SSE (Server-Sent Events) mode allows the MCP server to be accessed over HTTP, enabling remote access and web-based integrations:
# Start MCP server in HTTP mode on default port (:8080)
azqr mcp --mode http
# Start MCP server on a custom port
azqr mcp --mode http --addr :3000
# Start with specific host and port
azqr mcp --mode http --addr localhost:9090
HTTP/SSE Mode Features:
- 🌐 Remote access via HTTP
- 🔌 Web-based tool integrations
- 📡 Server-Sent Events for real-time updates
- 🔧 RESTful API access to azqr tools
Endpoints: When running in HTTP mode, the MCP server exposes SSE endpoints at the configured address. Clients can connect to these endpoints to interact with azqr’s scanning capabilities, prompts, and tools.
Example Use Cases:
- Integrate azqr with web-based AI assistants
- Build custom dashboards that leverage azqr scanning
- Create CI/CD pipelines with HTTP-based azqr integration
- Enable remote team access to azqr capabilities
Help
You can get help for azqr commands by running:
azqr --help