Azure Resource Graph query to get subscription properties
I am very new to ARG queries. I am struggling to figure out how to get a list of our Azure Subscriptions using ARG, including some of the properties you see on the properties pane when using the azure portal. In particular, I want the property visually labelled "ACCOUNT ADMIN". Can anyone point me in the right direction? resourcecontainers | where type == 'microsoft.resources/subscriptions' | project subscriptionId, name, owner = ???
Microsoft's inconsistent implementation of tagging in Azure
We revamped our Azure resource tagging strategy several years ago and rely on them heavily for #Governance and #FinOps. We not only enforce #tags via #AzurePolicy, we also enforce tag values based on a set of permissible values for each tag. Even with that in place we experience some drift due to exclusions required in the policy definition or exemptions in the policy assignments. I won't get into why this flexibility is needed here, that's a whole separate discussion. Establishing a sound tag hygiene process becomes a vital component of your overall governance and FinOps strategies. One method we employ for tag hygiene is to surface the non-compliant resources in a #PowerBi report using an #AzureResourceGraph (ARG) query. Yes, you can do this in the Compliance section of Azure Policy as well however it lacks ease of use. For example, flipping back and forth between policies, filtering by subscriptions, surfacing other linked metadata is a cumbersome experience in the Azure Policy blade. Now onto my frustrations with how Microsoft has implemented tagging across Azure. 1. Inconsistent application of Tag case-sensitivity across tools - In Azure Policy and in the Azure portal, tag names are case-insensitive whereas tag values are case-sensitive. - In Azure Resource Graph Explorer, both tag names and tag values are case-sensitive. - Why is there inconsistency with case-sensitivity of tag names? 2. Inconsistent Tag validation across Resource Types - When deploying a Storage Account, Azure validates my tag policy before I am able to hit the create button (before it's submitted to ARM) whereas when deploying a resource like a Public IP Address, that validation only occurs after you hit the create button. This likely happens with other resource types as well. By the way, my tagging policy specifies "Indexed" for mode, so in effect it should apply to any and all resources that support tagging in Azure. - Why is does the evaluation of the tag policy differ based on the resource being deployed? 3. Inconsistent Tag UX across Resource Types - When deploying a Storage Account, the tags input is a drop-down list. However, when deploying an Azure Virtual Machine, the tags input is a textbox. Although the latter makes use of predictive text, it's still clearly a different experience. This inconsistency is found across multiple Azure resources. - Why is the tag UX different between resource types? I realize some of this is addressed or is less of a concern when using IaC but that may not be for everyone, or work in all scenarios. It would be great if Microsoft could standardize their implementation of tagging resources uniformly across the entire Azure estate. In my opinion I don't think that's a huge ask.
Resource Graph RateLimiting
When running some resource graph queries inside a Function App I get RateLimiting error: error in resourceGraphFunction (RateLimiting) Please provide below info when asking for support: timestamp = 2024-01-02T16:10:29.7151093Z, correlationId = bf7ffdce-2c00-49f9-8171-0a682d3e6966. Code: RateLimiting Message: Please provide below info when asking for support: timestamp = 2024-01-02T16:10:29.7151093Z, correlationId = bf7ffdce-2c00-49f9-8171-0a682d3e6966. Exception Details: (RateLimiting) Client application has been throttled and should not attempt to repeat the request until an amount of time has elapsed. Please see Overview of Azure Resource Graph - Azure Resource Graph for help. Code: RateLimiting Message: Client application has been throttled and should not attempt to repeat the request until an amount of time has elapsed. Please see Overview of Azure Resource Graph - Azure Resource Graph for help. This error is not very frequent and not easily reproducible, I'm using the following python code to reproduce the issue. import azure.functions as func import azure.mgmt.resourcegraph as arg from azure.identity import DefaultAzureCredential import datetime def custom_res(pipeline_response, deserialized, *kwargs): resource = deserialized quota_remaining = None quota_resets_after = None try: headers = pipeline_response.http_response.internal_response.headers quota_remaining = headers._store['x-ms-user-quota-remaining'] quota_resets_after = headers._store['x-ms-user-quota-resets-after'] status_code = pipeline_response.http_response.status_code except AttributeError: pass setattr(resource, 'x-ms-user-quota-remaining', quota_remaining) setattr(resource, 'x-ms-user-quota-resets-after', quota_resets_after) setattr(resource, 'status_code', status_code) return resource def getPagedResources(sub_id, strQuery): subsList = [] if len(sub_id) > 0: subsList.append(sub_id) arg_result_arr = [] skip_num = 0 result_limit = 1000 while(True): argQueryOptions = arg.models.QueryRequestOptions(result_format="objectArray", top=result_limit, skip=skip_num) argQuery = arg.models.QueryRequest(subscriptions=subsList, query=strQuery, options=argQueryOptions) # Run query argResults = argClient.resources(argQuery, cls=custom_res) log.info(f"time: {datetime.datetime.now()}, remaining: {getattr(argResults, 'x-ms-user-quota-remaining', None)[1]}, status_code: {argResults.status_code}, reset_time: {getattr(argResults, 'x-ms-user-quota-resets-after', None)[1]}, skip_num: {skip_num}") if not argResults.data: break if not arg_result_arr: arg_result_arr = argResults.data else: arg_result_arr = arg_result_arr + argResults.data skip_num = skip_num + result_limit return arg_result_arr def main(req: func.HttpRequest) -> func.HttpResponse: qry = "resources" try: for i in range(20): res = getPagedResources('123-456-789-34343',qry) except Exception as err: log.error(f"error: {err}") Output: Even if the user-quota-remaining is 0, I don't get the RateLimit error that I sometimes get. Is there any way to reproduce the issue or any fix for it ?
Azure Resource Graph - get all functions of a function app
Hi, I'm new with Azure Resource Graph, and I'm trying to get all the functions from a function app. Firstly, I created a query to get the function apps : resources | where type == 'microsoft.web/sites' | where properties['kind'] == 'functionapp' Then I searched in the function app properties if functions were listed, but there are no information about it. So, I inspected the JSON definition of one function contained in a function app, and the type of the resource is "Microsoft.Web/sites/functions". But when I run a query using the type I get no results. How should I do to get the functions contained in a function app using Azure Resource Graph ? Thank youOracle VM / Azure Backup / Application Consistent/ Script to monitor when database is running/frozen
Hello everyone, I’ll need help with a technical context. I have a Linux 7/ Azure VM "Oracle DB" on which I test Microsoft Azure Backup (without Azure File Share for Point-in-Time recovery) My Oracle database is running. I have my /etc/azure/workload.conf (by default) My json file with VMSnapshotPluginConfig.json in the directory. (https://github.com/MicrosoftAzureBackup/VMSnapshotPluginConfig) Azure Portal : • Snapshot : 8 minutes • Application Consistent : 4 I want to know when the Oracle database is frozen (8 minutes seems long) I find nothing concrete in the logs of the Linux VM (directory alert.log) I saw this Github repo that allowed you to customize the script with output codes : https://github.com/MicrosoftAzureBackup/Oracle/blob/master/script.sh With a command sh -x script.sh, I saw : [root@VM2-Test /]# sh -x /scripts/script.sh + config_file_path= + pre_or_post= + success=0 + error=1 + warning=2 + status=0 + log_path=/config_error.log + '[' -eq 0 ']' /scripts/script.sh: line 15: [: -eq: unary operator expected + '[' -a ']' + . /scripts/script.sh: line 21: .: filename argument required .: usage: . filename [arguments] I believe that I have missing elements in my code and that in addition, I will not have the times when the database is started/ frozen/ stopped. If anyone can help me with my problem, that would be nice I also saw this way to collect times I want but I'm not sure to query correctly after setting up. https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/virtual-machines/workloads/oracle/oracle-database-backup-azure-backup.md#remove-the-database-files sqlplus / as sysdba SQL> CREATE PROCEDURE sysbackup.azmessage(in_msg IN VARCHAR2) AS v_timestamp VARCHAR2(32); BEGIN SELECT TO_CHAR(SYSDATE, 'YYYY-MM-DD HH24:MI:SS') INTO v_timestamp FROM DUAL; DBMS_OUTPUT.PUT_LINE(v_timestamp || ' - ' || in_msg); SYS.DBMS_SYSTEM.KSDWRT(SYS.DBMS_SYSTEM.ALERT_FILE, in_msg); END azmessage; / SQL> SHOW ERRORS Any assistance would be most welcome. Have a good day !
Deploying access packages as code
I know Microsoft graph can be used to automatically create access packages in Azure AD however it would be useful if a Terraform registry would eventually become available to deploy access packages using Terraform so you can manage your access packages in code. #AzureAD #IAC #accesspackages
