Starter Resource Graph query samples
The first step to understanding queries with Azure Resource Graph is a basic understanding of the Query Language. If you aren't already familiar with Kusto Query Language (KQL), it's recommended to review the KQL tutorial to understand how to compose requests for the resources you're looking for.
This article uses the following starter queries:
- Count Azure resources
- Count Key Vault resources
- List resources sorted by name
- Show all virtual machines ordered by name in descending order
- Show first five virtual machines by name and their OS type
- Count virtual machines by OS type
- Show resources that contain storage
- List all Azure virtual network subnets
- List all public IP addresses
- Count resources that have IP addresses configured by subscription
- List resources with a specific tag value
- List all storage accounts with specific tag value
- List all tags and their values
- Show unassociated network security groups
- List Azure Monitor alerts ordered by severity
- List Azure Monitor alerts ordered by severity and alert state
- List Azure Monitor alerts ordered by severity, monitor service, and target resource type
If you don't have an Azure subscription, create a free account before you begin.
Language support
Azure CLI (through an extension) and Azure PowerShell (through a module) support Azure Resource Graph. Before running any of the following queries, check that your environment is ready. See Azure CLI and Azure PowerShell for steps to install and validate your shell environment of choice.
Count Azure resources
This query returns number of Azure resources that exist in the subscriptions that you have access to. It's also a good query to validate your shell of choice has the appropriate Azure Resource Graph components installed and in working order.
Resources
| summarize count()
By default, Azure CLI queries all accessible subscriptions but you can specify the --subscriptions parameter to query specific subscriptions.
az graph query -q "Resources | summarize count()"
This example uses a variable for the subscription ID.
subid=$(az account show --query id --output tsv)
az graph query -q "Resources | summarize count()" --subscriptions $subid
You can also query by the scopes for management group and tenant. Replace <managementGroupId> and <tenantId> with your values.
az graph query -q "Resources | summarize count()" --management-groups '<managementGroupId>'
az graph query -q "Resources | summarize count()" --management-groups '<tenantId>'
You can also use a variable for the tenant ID.
tenantid=$(az account show --query tenantId --output tsv)
az graph query -q "Resources | summarize count()" --management-groups $tenantid
Count Key Vault resources
This query uses count instead of summarize to count the number of records returned. Only key
vaults are included in the count.
Resources
| where type =~ 'microsoft.keyvault/vaults'
| count
az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | count"
List resources sorted by name
This query returns any type of resource, but only the name, type, and location
properties. It uses order by to sort the properties by the name property in ascending (asc)
order.
Resources
| project name, type, location
| order by name asc
az graph query -q "Resources | project name, type, location | order by name asc"
Show all virtual machines ordered by name in descending order
To list only virtual machines (which are type Microsoft.Compute/virtualMachines), we can match
the property type in the results. Similar to the previous query, desc changes the order by
to be descending. The =~ in the type match tells Resource Graph to be case insensitive.
Resources
| project name, location, type
| where type =~ 'Microsoft.Compute/virtualMachines'
| order by name desc
az graph query -q "Resources | project name, location, type| where type =~ 'Microsoft.Compute/virtualMachines' | order by name desc"
Show first five virtual machines by name and their OS type
This query uses top to only retrieve five matching records that are ordered by name. The type
of the Azure resource is Microsoft.Compute/virtualMachines. project tells Azure Resource Graph
which properties to include.
Resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| project name, properties.storageProfile.osDisk.osType
| top 5 by name desc
az graph query -q "Resources | where type =~ 'Microsoft.Compute/virtualMachines' | project name, properties.storageProfile.osDisk.osType | top 5 by name desc"
Count virtual machines by OS type
Building on the previous query, we're still limiting by Azure resources of type
Microsoft.Compute/virtualMachines, but are no longer limiting the number of records returned.
Instead, we used summarize and count() to define how to group and aggregate the values by
property, which in this example is properties.storageProfile.osDisk.osType. For an example of how
this string looks in the full object, see explore resources - virtual machine
discovery.
Resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| summarize count() by tostring(properties.storageProfile.osDisk.osType)
az graph query -q "Resources | where type =~ 'Microsoft.Compute/virtualMachines' | summarize count() by tostring(properties.storageProfile.osDisk.osType)"
A different way to write the same query is to extend a property and give it a temporary name for
use within the query, in this case os. os is then used by summarize and count() as in
the previous example.
Resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| extend os = properties.storageProfile.osDisk.osType
| summarize count() by tostring(os)
az graph query -q "Resources | where type =~ 'Microsoft.Compute/virtualMachines' | extend os = properties.storageProfile.osDisk.osType | summarize count() by tostring(os)"
Note
Be aware that while =~ allows case insensitive matching, use of properties (such as
properties.storageProfile.osDisk.osType) in the query require the case to be correct. If the
property is the incorrect case, a null or incorrect value is returned and the grouping or
summarization would be incorrect.
Show resources that contain storage
Instead of explicitly defining the type to match, this example query finds any Azure resource
that contains the word storage.
Resources
| where type contains 'storage' | distinct type
az graph query -q "Resources | where type contains 'storage' | distinct type"
List all Azure virtual network subnets
This query returns a list of Azure virtual networks (VNets) including subnet names and address prefixes. Thanks to Saul Dolgin for the contribution.
Resources
| where type == 'microsoft.network/virtualnetworks'
| extend subnets = properties.subnets
| mv-expand subnets
| project name, subnets.name, subnets.properties.addressPrefix, location, resourceGroup, subscriptionId
az graph query -q "Resources | where type == 'microsoft.network/virtualnetworks' | extend subnets = properties.subnets | mv-expand subnets | project name, subnets.name, subnets.properties.addressPrefix, location, resourceGroup, subscriptionId"
List all public IP addresses
Similar to the previous query, find everything that is a type with the word publicIPAddresses.
This query expands on that pattern to only include results where properties.ipAddress
isnotempty, to only return the properties.ipAddress, and to limit the results by the top
100. You may need to escape the quotes depending on your chosen shell.
Resources
| where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress)
| project properties.ipAddress
| limit 100
az graph query -q "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | project properties.ipAddress | limit 100"
Count resources that have IP addresses configured by subscription
Using the previous example query and adding summarize and count(), we can get a list by subscription of resources with configured IP addresses.
Resources
| where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress)
| summarize count () by subscriptionId
az graph query -q "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId"
List resources with a specific tag value
We can limit the results by properties other than the Azure resource type, such as a tag. In this example, we're filtering for Azure resources with a tag name of Environment that have a value of Internal.
Resources
| where tags.environment=~'internal'
| project name
az graph query -q "Resources | where tags.environment=~'internal' | project name"
To also provide what tags the resource has and their values, add the property tags to the
project keyword.
Resources
| where tags.environment=~'internal'
| project name, tags
az graph query -q "Resources | where tags.environment=~'internal' | project name, tags"
List all storage accounts with specific tag value
Combine the filter functionality of the previous example and filter Azure resource type by type property. This query also limits our search for specific types of Azure resources with a specific tag name and value.
Resources
| where type =~ 'Microsoft.Storage/storageAccounts'
| where tags['tag with a space']=='Custom value'
az graph query -q "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where tags['tag with a space']=='Custom value'"
Note
This example uses == for matching instead of the =~ conditional. == is a case sensitive match.
List all tags and their values
This query lists tags on management groups, subscriptions, and resources along with their values.
The query first limits to resources where tags isnotempty(), limits the included fields by only
including tags in the project, and mvexpand and extend to get the paired data from the
property bag. It then uses union to combine the results from ResourceContainers to the same
results from Resources, giving broad coverage to which tags are fetched. Last, it limits the
results to distinct paired data and excludes system-hidden tags.
ResourceContainers
| where isnotempty(tags)
| project tags
| mvexpand tags
| extend tagKey = tostring(bag_keys(tags)[0])
| extend tagValue = tostring(tags[tagKey])
| union (
resources
| where isnotempty(tags)
| project tags
| mvexpand tags
| extend tagKey = tostring(bag_keys(tags)[0])
| extend tagValue = tostring(tags[tagKey])
)
| distinct tagKey, tagValue
| where tagKey !startswith "hidden-"
az graph query -q "ResourceContainers | where isnotempty(tags) | project tags | mvexpand tags | extend tagKey = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagKey]) | union (resources | where notempty(tags) | project tags | mvexpand tags | extend tagKey = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagKey]) ) | distinct tagKey, tagValue | where tagKey !startswith "hidden-""
Show unassociated network security groups
This query returns Network Security Groups (NSGs) that aren't associated to a network interface or subnet.
Resources
| where type =~ "microsoft.network/networksecuritygroups" and isnull(properties.networkInterfaces) and isnull(properties.subnets)
| project name, resourceGroup
| sort by name asc
az graph query -q "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc"
List Azure Monitor alerts ordered by severity
alertsmanagementresources
| where type =~ 'microsoft.alertsmanagement/alerts'
| where todatetime(properties.essentials.startDateTime) >= ago(2h) and todatetime(properties.essentials.startDateTime) < now()
| project Severity = tostring(properties.essentials.severity)
| summarize AlertsCount = count() by Severity
List Azure Monitor alerts ordered by severity and alert state
alertsmanagementresources
| where type =~ 'microsoft.alertsmanagement/alerts'
| where todatetime(properties.essentials.startDateTime) >= ago(2h) and todatetime(properties.essentials.startDateTime) < now()
| project Severity = tostring(properties.essentials.severity),
AlertState= tostring(properties.essentials.alertState)
| summarize AlertsCount = count() by Severity, AlertState
List Azure Monitor alerts ordered by severity, monitor service, and target resource type
alertsmanagementresources
| where type =~ 'microsoft.alertsmanagement/alerts'
| where todatetime(properties.essentials.startDateTime) >= ago(2h) and todatetime(properties.essentials.startDateTime) < now()
| project Severity = tostring(properties.essentials.severity),
MonitorCondition = tostring(properties.essentials.monitorCondition),
ObjectState = tostring(properties.essentials.alertState),
MonitorService = tostring(properties.essentials.monitorService),
AlertRuleId = tostring(properties.essentials.alertRule),
SignalType = tostring(properties.essentials.signalType),
TargetResource = tostring(properties.essentials.targetResourceName),
TargetResourceType = tostring(properties.essentials.targetResourceName), id
| summarize AlertsCount = count() by Severity, MonitorService , TargetResourceType
Next steps
- Learn more about the query language.
- Learn more about how to explore resources.
- See samples of Advanced queries.