Authorization
Azure Quick Review (azqr) requires the following permissions:
- Reader over Subscription or Management Group scope
Authentication
Azure Quick Review (azqr) requires the following permissions:
- Reader over Subscription or Management Group scope
- PowerShell
Set the following environment variables:
Powershell:
$env:AZURE_CLIENT_ID = '<service-principal-client-id>'
$env:AZURE_CLIENT_SECRET = '<service-principal-client-secret>'
$env:AZURE_TENANT_ID = '<tenant-id>'
Bash:
export AZURE_CLIENT_ID='<service-principal-client-id>'
export AZURE_CLIENT_SECRET = '<service-principal-client-secret>'
export AZURE_TENANT_ID = '<tenant-id>'
Authenticate with a Managed Identity
Set the following environment variables:
Powershell:
$env:AZURE_CLIENT_ID = '<managed-identity-client-id>'
$env:AZURE_TENANT_ID = '<tenant-id>'
Bash:
export AZURE_CLIENT_ID='<managed-identity-client-id>'
export AZURE_TENANT_ID = '<tenant-id>'
Authenticate with Azure CLI
Authenticate to Azure:
az login
Scan Azure Resources
Scan All Resources
azqr scanScan a Management Group
azqr scan --management-group-id <management_group_id>Scan a Subscription
azqr scan --subscription-id <subscription_id>Scan a Resource Group
azqr scan --subscription-id <subscription_id> --resource-group <resource_group_name>
Advanced Filtering
You can configure Azure Quick Review to include or exclude specific subscriptions or resource groups and also exclude services or recommendations. To do so, create a yaml file with the following format:
azqr:
include:
subscriptions:
- <subscription_id> # format: <subscription_id>
resourceGroups:
- <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
resourceTypes:
- <resource type abbreviation> # format: Abbreviation of the resource type. For example: "vm" for "Microsoft.Compute/virtualMachines"
exclude:
subscriptions:
- <subscription_id> # format: <subscription_id>
resourceGroups:
- <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
services:
- <service_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/<service_provider>/<service_name>
recommendations:
- <recommendation_id> # format: <recommendation_id>
Then run the scan with the --filters flag:
./azqr scan --filters <path_to_yaml_file>
Check the rules to get the recommendation ids.
Check the overview to get the resource type abbreviations.
File Outputs
Currently Azure Quick Review supports 3 types of file outputs: xlsx (default), csv, json
xlsx
xlsx is the default output format.
Check the overview to get the more information.
csv
By default azqr will create an xlsx document, However if you need to export to csv you can use the following flag: --csv
Example:
azqr scan --csv
The scan will generate 9 csv files:
<file-name>.advisor.csv
<file-name>.costs.csv
<file-name>.defender.csv
<file-name>.defenderRecommendations.csv
<file-name>.impacted.csv
<file-name>.inventory.csv
<file-name>.outofscope.csv
<file-name>.recommendations.csv
<file-name>.resourceType.csv
- json
By default azqr will create an xlsx document, However if you need to export to json you can use the following flag: --json
Example:
azqr scan --json
The scan will generate 9 json files:
<file-name>.advisor.json
<file-name>.costs.json
<file-name>.defender.json
<file-name>.defenderRecommendations.json
<file-name>.impacted.json
<file-name>.inventory.json
<file-name>.outofscope.json
<file-name>.recommendations.json
<file-name>.resourceType.json
Changing the Output File Name
You can change the output file name by using the --output-file or -o flag:
Powershell:
$timestamp = Get-Date -Format 'yyyyMMddHHmmss'
azqr scan --output-file "azqr_action_plan_$timestamp"
Bash:
timestamp=$(date '+%Y%m%d%H%M%S')
azqr scan --output-file "azqr_action_plan_$timestamp"
By default, the output file name is
azqr_action_plan_YYYY_MM_DD_THHMMSS.
Help
You can get help for azqr commands by running:
azqr --help