Query your virtual machine with Azure Resource Graph

I got a question from a friend if he could extract some common information about Azure virtual machines that he could send to his manager as a report without any use of scripting language like PowerShell. Given the fact that Azure Portal doesn’t help much unfortunately.

In this article, let’s explore Azure Resource Graph to extract information about your virtual machines without PowerShell or Azure CLI.

In the past when querying a resource you would normally use built-in cmdlet or command lines in PowerShell or Azure CLI. You could also call Azure REST API to do the job. However, when it comes to no-scripting solution you found no way to do. Azure Portal doesn’t give you what you really need especially it doesn’t provide export functionality.  Azure Resource Graph was then born. It is a new approach to query Azure resources. The core query language used in Azure Resource Graph is actually Kusto Query Language (KQL) which you often see in Azure Log Analytics workspace or Azure Data Explorer.

You can follow this article for practicing. The following query can be used to extract some common information

Resources
| where type == "microsoft.compute/virtualmachines"
| extend os = properties.storageProfile.imageReference.offer
| extend sku = properties.storageProfile.imageReference.sku
| extend hostName = properties.osProfile.computerName
| mvexpand nic = properties.networkProfile.networkInterfaces
| extend nicId = tostring(nic.id)
| project subscriptionId, vmName = name, resourceGroup, location, nicId, hostName, os, sku
| join kind=leftouter (
	Resources
	| where type == "microsoft.network/networkinterfaces"
	| mvexpand ipconfig=properties.ipConfigurations
	| extend privateIp = ipconfig.properties.privateIPAddress
    | project nicId = id, privateIp
) on nicId
| project-away nicId1
| project subscriptionId, vmName, resourceGroup, location, privateIp, hostName, os, sku

The query gives you kind of example. If you want to query more simply read virtual machine properties. You can export the result into CSV file as well.

Azure Resource Graph allows you to query Azure resources like Azure Policy.

The only problem with Azure Resource Graph is it doesn’t allow you to interact with custom data. So in a real-world scenario, you’d need to interact with another custom data like subscription information so you can join subscription name to the table in which subscription ID is the join key.

Bonus: For PowerShell here is the script https://github.com/azsec/azure-audit/blob/master/VirtualMachine/Get-AzureVmInfo.ps1

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

Leave a Reply