Skip to main content

Azure Resource Graph - Resource Configuration Changes

It is an Azure service designed to extend Azure Resource Management capabilities. The following can be achieved using this service

  • Query resources with complex filtering, grouping, and sorting by resource properties.
  • Explore resources iteratively based on governance requirements.
  • Assess the impact of applying policies in a vast cloud environment.
  • Query changes made to resource properties (preview).

Apart from all the others, today’s focus is on monitoring resource configuration changes using Azure Resource Graph explorer

The latest release resource configuration changes enable queries across your subscriptions and tenant to discover changes to resources with Azure Resource Graph.

You can,

  • Find when changes were detected on an Azure Resource Manager property
  • See property change details for each resource change
  • Query changes at scale across your subscriptions, management group, or tenant
  • Audit, troubleshoot, and govern your resource changes at scale
  • By using Azure Resource Graph to query your resource changes, you can craft charts and pin results to Azure dashboards based on specific change queries.

Few things to note –

  • This feature is already enabled by default in all the tenants
  • Retention for the data is set to 14days by Microsoft

Let’s look at some of the examples

You can run the resource graph queries in

  • Azure PowerShell
  • Azure CLI
  • Azure portal

Using Azure portal

Login to Azure Portal and Search for Azure Resource Graph explorer


Once you select the Resource Graph Explorer, you will be presented with bunch of sample queries, similar to a log analytics workspace.

For us to see the resource changes I’m going to run the below query

resourcechanges 
| extend changeTime=todatetime(properties.changeAttributes.timestamp) 
| project changeTime, properties.changeType, properties.targetResourceId, properties.targetResourceType, properties.changes 
| order by changeTime desc

And I’m going to get all the changes that happened during the past 14 days. We can go into detail and understand what these changes and target resource details were

These details are helpful in terms of governance and audit perspective. Each change details include below information

  • targetResourceId - The resourceID of the resource on which the change occurred.
  • targetResourceType - The resource type of the resource on which the change occurred.
  • changeType - Describes the type of change detected for the entire change record.
  • changes - Dictionary of the resource properties (with property name as the key) that were updated as part of the change
  • changeAttributes - Array of metadata related to the change

You can run the same query by using

Azure Powershell

Search-AzGraph -Query 'resourcechanges | extend changeTime=todatetime(properties.changeAttributes.timestamp) | project changeTime, properties.changeType, properties.targetResourceId, properties.targetResourceType, properties.changes | order by changeTime desc'

Azure CLI

az graph query -q 'resourcechanges | extend changeTime=todatetime(properties.changeAttributes.timestamp) | project changeTime, properties.changeType, properties.targetResourceId, properties.targetResourceType, properties.changes | order by changeTime desc


Also, apart from the governance and audit perspective, there are a bunch of other use cases for this free Microsoft service. Like

  1. Resource Count
  2. Resource dependencies
  3. Resource search based on parameters
  4. Etc..

Below are some other sample queries that you can use

All the deleted resources over the past 7 days

resourcechanges
| extend changeTime = todatetime(properties.changeAttributes.timestamp), targetResourceId = tostring(properties.targetResourceId),
changeType = tostring(properties.changeType), correlationId = properties.changeAttributes.correlationId
| where changeType == "Delete"
| order by changeTime desc
| project changeTime, resourceGroup, targetResourceId, changeType, correlationId

All the deleted resources over the past 7 days in a particular resource group

resourcechanges
| where resourceGroup == "ResourceGroup"
| extend changeTime = todatetime(properties.changeAttributes.timestamp), targetResourceId = tostring(properties.targetResourceId),
changeType = tostring(properties.changeType), correlationId = properties.changeAttributes.correlationId
| where changeType == "Delete"
| order by changeTime desc
| project changeTime, resourceGroup, targetResourceId, changeType, correlationId

You can learn more about

Azure Resource Graph documentation | Microsoft Docs

Until next time... :)


Labels:

Comments

Post a Comment

Popular posts from this blog

Deploying an Automation Account with a Runbook and Schedule Using Bicep

Introduction Automation is a key component in many organizations' cloud strategy. Azure Automation allows you to automate the creation, deployment, and management of resources in your Azure environment. In this post, we will walk through the process of deploying an Automation Account with a Runbook and Schedule using Bicep, a new domain-specific language for deploying Azure resources. Intention My intention at the  end is to run a PowerShell  script to start and shutdown Azure VMs based on tag values. PowerShell  script that I have used is from below l ink.  And two  of me   collogue s ( Michael Turnley   and Saudh Mohomad helped to modify the  PowerShell  script. Prerequisites Before we begin, you will need the following: An Azure subscription The Azure CLI installed on your machine. The Azure Bicep extension for the Azure CLI Creating the Automation Account The first step in deploying an Automation Account with a Runbook and Schedule is to create the Aut
Post a Comment
Read more

Migrating Azure DevOps Variable Groups

Howdy Folks, I was working on an application modernization project. And there was a requirement to migrate application deployments from one project to another in Azure DevOps. deployment pipelines were heavily dependent on variable groups. So, we wanted to migrate these variables group to the new project. Couldn't find any solutions in internet for this, so came up with the below scripts. You can grab the scripts from the below GitHub URL. DaniduWeerasinghe911/Migrate-Azure-DevOps-Variable-Groups: This Repo Include PowerShell Scripts relating to Migrating Azure DevOps Variable Groups (github.com) Azure DevOps Variable Groups Azure DevOps Variable Groups are a way to store and manage sets of variables that can be used across multiple pipelines in Azure DevOps. These variables can include secrets, connection strings, and other sensitive information that is needed for builds and releases. Variable Groups provide a centralized way to manage these variables and ensure that they are cons
Post a Comment
Read more

Securing Azure Services with Fetian FIDO

Hey Folks  Here again with another security topic with Fetian Fido. And once again Fetian devices proved their excellent quality and stability. For this I choose Fetian K33 -  AllinPass FIDO Security Key – FEITIAN (ftsafe.com) and  K39 -  Single-button FIDO Security Keys | FEITIAN (ftsafe.com) Use case  In an organization following changes needs to be implemented.  1. Update the password policy 2. Update the user session time out to 30 minutes Once these changes being implemented, the following issues need to be addressed 1. Users' complaint new passwords need to be so long 2. Users complain sessions time out makes them work so much slower with the longer passwords 3. Etc... Solution  One of my friends reached out to me to help solve this problem. All I could think of was using passwordless auth with FIDO devices. We have decided to use Fido2 keys for better security and flexibility for the users. The FIDO (Fast IDentity Online) Alliance helps to promote open authentication stand
Post a Comment
Read more