This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Usage

Use Azure Quick Review — to analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

    Authorization

    Azure Quick Review (azqr) requires the following permissions:

    • Reader over Subscription or Management Group scope

    Authentication

    Azure Quick Review (azqr) requires the following permissions:

    • Reader over Subscription or Management Group scope

    Credential Chain Configuration

    Azure Quick Review (azqr) uses the Azure SDK’s DefaultAzureCredential which automatically selects the most appropriate credential based on your environment. You can customize the credential chain behavior by setting the AZURE_TOKEN_CREDENTIALS environment variable.

    Development environments: Set AZURE_TOKEN_CREDENTIALS=dev to use Azure CLI (az) or Azure Developer CLI (azd) credentials.

    Production environments: Set AZURE_TOKEN_CREDENTIALS=prod to use environment variables, workload identity, or managed identity credentials.

    Service Principal Authentication

    Set the following environment variables:

    Powershell:

    $env:AZURE_CLIENT_ID = '<service-principal-client-id>'
    $env:AZURE_CLIENT_SECRET = '<service-principal-client-secret>'
    $env:AZURE_TENANT_ID = '<tenant-id>'
    

    Bash:

    export AZURE_CLIENT_ID='<service-principal-client-id>'
    export AZURE_CLIENT_SECRET='<service-principal-client-secret>'
    export AZURE_TENANT_ID='<tenant-id>'
    

    Authenticate with a Managed Identity

    Set the following environment variables:

    Powershell:

    $env:AZURE_CLIENT_ID = '<managed-identity-client-id>'
    $env:AZURE_TENANT_ID = '<tenant-id>'
    

    Bash:

    export AZURE_CLIENT_ID='<managed-identity-client-id>'
    export AZURE_TENANT_ID='<tenant-id>'
    

    Authenticate with Azure CLI

    Authenticate to Azure:

    az login
    

    Cloud Configuration

    Azure Quick Review (azqr) supports scanning resources in different Azure cloud environments. You can configure the target cloud using environment variables.

    Predefined Cloud Environments

    Set the AZURE_CLOUD environment variable to specify the Azure cloud environment:

    Azure Public Cloud (default):

    Powershell:

    $env:AZURE_CLOUD = 'AzurePublic'
    

    Bash:

    export AZURE_CLOUD='AzurePublic'
    

    Azure US Government Cloud:

    Powershell:

    $env:AZURE_CLOUD = 'AzureGovernment'
    

    Bash:

    export AZURE_CLOUD='AzureGovernment'
    

    Azure China Cloud:

    Powershell:

    $env:AZURE_CLOUD = 'AzureChina'
    

    Bash:

    export AZURE_CLOUD='AzureChina'
    

    Supported values for AZURE_CLOUD:

    • AzurePublic, public, or empty (default)
    • AzureGovernment, AzureUSGovernment, or usgovernment
    • AzureChina or china

    Custom Cloud Configuration

    For custom or sovereign cloud environments, you can specify custom endpoints that will override the predefined cloud settings:

    Powershell:

    $env:AZURE_AUTHORITY_HOST = 'https://login.microsoftonline.custom/'
    $env:AZURE_RESOURCE_MANAGER_ENDPOINT = 'https://management.custom.azure.com'
    $env:AZURE_RESOURCE_MANAGER_AUDIENCE = 'https://management.core.custom.azure.com/'
    

    Bash:

    export AZURE_AUTHORITY_HOST='https://login.microsoftonline.custom/'
    export AZURE_RESOURCE_MANAGER_ENDPOINT='https://management.custom.azure.com'
    export AZURE_RESOURCE_MANAGER_AUDIENCE='https://management.core.custom.azure.com/'
    

    Environment Variables:

    • AZURE_AUTHORITY_HOST: Custom Active Directory authority host (e.g., https://login.microsoftonline.us/)
    • AZURE_RESOURCE_MANAGER_ENDPOINT: Custom ARM endpoint (e.g., https://management.usgovcloudapi.net)
    • AZURE_RESOURCE_MANAGER_AUDIENCE: Custom ARM token audience (optional, e.g., https://management.core.usgovcloudapi.net/)

    Note: When custom endpoints are provided (both AZURE_AUTHORITY_HOST and AZURE_RESOURCE_MANAGER_ENDPOINT), they take priority over the AZURE_CLOUD setting.

    Scan Azure Resources

    • Scan All Resources

      azqr scan
      
    • Scan a Management Group

      azqr scan --management-group-id <management_group_id>
      
    • Scan a Subscription

      azqr scan --subscription-id <subscription_id>
      
    • Scan a Resource Group

      azqr scan --subscription-id <subscription_id> --resource-group <resource_group_name>
      

    Advanced Filtering

    You can configure Azure Quick Review to include or exclude specific subscriptions or resource groups and also exclude services or recommendations. To do so, create a yaml file with the following format:

    azqr:
      include:
        subscriptions:
          - <subscription_id> # format: <subscription_id>
        resourceGroups:
          - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
        resourceTypes:
          - <resource type abbreviation> # format: Abbreviation of the resource type. For example: "vm" for "Microsoft.Compute/virtualMachines"
      exclude:
        subscriptions:
          - <subscription_id> # format: <subscription_id>
        resourceGroups:
          - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
        services:
          - <service_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/<service_provider>/<service_name>
        recommendations:
          - <recommendation_id> # format: <recommendation_id>
    

    Then run the scan with the --filters flag:

    ./azqr scan --filters <path_to_yaml_file>
    

    Check the rules to get the recommendation ids.

    Check the overview to get the resource type abbreviations.

    File Outputs

    Currently Azure Quick Review supports 3 types of file outputs: xlsx (default), csv, json

    xlsx

    xlsx is the default output format.

    Check the overview to get the more information.

    csv

    By default azqr will create an xlsx document, However if you need to export to csv you can use the following flag: --csv

    Example:

    azqr scan --csv
    

    The scan will generate 10 csv files:

    <file-name>.advisor.csv
    <file-name>.azurePolicy.csv
    <file-name>.costs.csv
    <file-name>.defender.csv
    <file-name>.defenderRecommendations.csv
    <file-name>.impacted.csv
    <file-name>.inventory.csv
    <file-name>.outofscope.csv
    <file-name>.recommendations.csv
    <file-name>.resourceType.csv
    

    - json

    By default azqr will create an xlsx document, However if you need to export to json you can use the following flag: --json

    Example:

    azqr scan --json
    

    The scan will generate a single consolidated json file:

    <file-name>.json
    

    The JSON file contains all data sections in a single consolidated structure:

    {
        "recommendations": [...],
        "impacted": [...],
        "resourceType": [...],
        "inventory": [...],
        "advisor": [...],
        "azurePolicy": [...],
        "defender": [...],
        "defenderRecommendations": [...],
        "costs": [...],
        "outOfScope": [...]
    }
    

    Changing the Output File Name

    You can change the output file name by using the --output-file or -o flag:

    Powershell:

    $timestamp = Get-Date -Format 'yyyyMMddHHmmss'
    azqr scan --output-file "azqr_action_plan_$timestamp"
    

    Bash:

    timestamp=$(date '+%Y%m%d%H%M%S')
    azqr scan --output-file "azqr_action_plan_$timestamp"
    

    By default, the output file name is azqr_action_plan_YYYY_MM_DD_THHMMSS.

    Help

    You can get help for azqr commands by running:

    azqr --help