I am using Resource Graph Powershell module to query all the recent change details in my Subscription.
https://learn.microsoft.com/en-us/azure/governance/resource-graph/how-to/get-resource-changes?tabs=azure-powershell
But though there are many changes happened, the query is returning at max 100 at a time. So is there a way to get the complete records?
Is there a way to get all available records from Resource Graph module?
I have reproduced in my environment and got expected results as below and I followed Microsoft-Document:
$count= Search-AzGraph -Query 'resourcechanges | project properties.changeAttributes.timestamp, properties.changeType, properties.targetResourceId, properties.targetResourceType, properties.changes' -First 1000
$count | Measure-Object
So you need to use -First Paramter
Or you can use the query directly in Azure Resource graph Explorer as below:
Related
The following query fails with 2 ParserFailure errors, both on line 5. At least that's where the query builder shows the red curly line.
The intention of this query is probably obvious to the Azure KQL initiates, but I'll explain nonetheless just to make sure it's clear.
This query should list all NSGs that do not have either one of the rules named "AllowThis" or "AllowThat".
Resources
| where type == "microsoft.network/networksecuritygroups"
| where isnotempty(properties.securityRules)
| where not(properties.securityRules
| where (tolower(tostring(properties.securityRules.ruleName)) =~ "allowthis|allowthat"))
| project NSGName = name
| order by NSGName asc
It would even be nicer if the table shows the actual missing rule(s) for the listed NSGs, but I have no idea where to start with that.
Does anyone have a working version of this type of query? Having to go through a lot of NSGs manually can't be the answer.
I have tried multiple variations of the query, but I couldn't find a single working version.
Below are my findings and observations from the query posted in question.
Lines 1 to 3 looks good and will give you list of NSG resources which has values for "securityRules" field.
For line number 4
| where not(properties.securityRules)
I am not sure what are you trying to achieve in this step. The not() takes bool values as mentioned in the documentation.
For line number 5
| where (tolower(tostring(properties.securityRules.ruleName)) =~ "allowthis|allowthat")
There is no need to use tolower() when you are using =~ as this supports case-insensitive match. Also under "securityRules" in NSG json object there is no field named as "ruleName", however there is a field "name". Please find the document for the same - Link. You can use the same documentation to check for the fields available to query NSG resource data.
When you are trying to write condition for "AllowThis" or "AllowThat" in Azure Resource Graph Explorer you should use the syntax properties.securityRules.name == "allowthis" or properties.securityRules.name == "allowthat"
If you write anything within quotes it will be taken as single string. Hence in your query "allowthis|allowthat" will be considered as a single string.
I found on this post how to print the the Azure Subscription ID:
(Get-AzContext).Subscription.id
But if I look in the official documentation of the command Get-AzContext I don't see anywhere that the .Subscription.id or .id would print that information.
How the guy who replied to that question knew such information?
Where can I find a list of properties for each command?
Commmands like Get-AzContext | fl * or Get-AzContext | gm or get-help Get-AzContext -full don't provide such list.
I want to be able to see all properties provided by commands like Get-AzResource or Get-AzSqlDatabase or any other.
Problably not the cleanest way, but as I use this trick very often and since I shared to some teammates I noticed they are using it now I guess it worths sharing :) .
Use the convertto-json -depth xx (where xx is big enough for your need and depending on the objet's complexity) to get the whole view of an object
Then you can redirect to a file and look for what you need quite easily.
In case you run Get-AzContext | convertto-json -depth 10 you will find back the subscription and the ID.
So basically I am current using this script that checks what license is assigned to each account in Azure AD
Connect-MsolService
$Users= Import-CSV C:\Users\Ark\Desktop\powershell\test01.csv
$Users|%{Get-MsolUser -UserPrincipalName $_.UPN|select userPrincipalNAme,#{n="Licenses Type";e={$_.Licenses.AccountSKUid}}}
The csv file that I am ingesting looks like this
|UserPrincipalName|
|:----------------------|
|test.user#test.com |
|test.user2#test.com |
|test.user1#test.com |
With this scripts it goes through and outputs the correct license info for each account, like so
|UserPrincipalName| Licenses Type
|:----------------------|:-------------
|test.user#test.com |testdomain:SPE_E3
|test.user2#test.com |testdomain:SPE_F1
|test.user1#test.com |testdomain:SPE_E3
Where I am stuck at is I would like for this to only output users that only have a specific type of license. For example if I would only want users that have a testdomain:SPE_E3 license assigned. What can I do to edit my script that would only output users for that specific license, like so
|UserPrincipalName| Licenses Type
|:----------------------|:-------------
|test.user#test.com |testdomain:SPE_E3
|test.user1#test.com |testdomain:SPE_E3
Try with the "Where-Object" filter as follows:
Where-Object {($_.licenses).AccountSkuId -match "SPE_E3"}
I need to retrieve the last run time a pipeline failed by using the below query but it doesn't work.
ADFPipelineRun
| where Status == "Failed" AND max(TimeGenerated)
So with the below example, I want to retrieve only the ones highlighted red on the screenshot. I have different pipelines and would like to retrieved only the last runtime of all the pipelines that failed.
For example in the above screenshot, I will like to retrieve only:
I need the Kusto query that can do that.
Please use the query below. It returns the expected result as per my testing:
ADFPipelineRun
| where Status == "Failed"
| summarize TimeGenerated= max(TimeGenerated) by PipelineName, Status
I have an issue with showing specific resources with azure kusto query.
what i want is to write a kusto query that show only database resources and server resources in azure.
i have written following query regarding Databases:
resources
| where type in ("microsoft.sql/servers/databases","microsoft.dbforpostgresql/servers","microsoft.azuredata/postgresinstances","microsoft.dbformariadb/servers","microsoft.dbformysql/flexibleservers","microsoft.dbformysql/servers","microsoft.dbforpostgresql/flexibleservers","microsoft.dbforpostgresql/servergroups","microsoft.kusto/clusters/databases","microsoft.sql/managedinstances/databases","microsoft.synapse/workspaces/sqldatabases","ravenhq.db/databases","microsoft.documentdb/databaseaccounts")
| summarize Amount=count() by type
But when i execute the query it shows me two Databases even though i only have create one, the extra one is a "master" which should not be included because there is only one resource in the resource group
i have also tried with the following query:
resources
| where type contains "database" | distinct type
| summarize Amount=count() by type
But then the issue is that it doesnt include all the db's that doesnt have the word "database" in the type name for example "microsoft.azuredata/postgresinstances"
so the question is, how do i write a query that shows ALL the databases on my dashboard.
The second part of the question which is similar to the previous with databases is how i show all the Servers.
I have tried with the following queries:
resources
| where split(type,"/")[array_length(split(type,"/"))] contains "servers"
it gave me no result even though i had a server.
then i tried:
resources
| where type contains "/server" | distinct type
| summarize Amount=count() by type
that didnt work because it also returned all the database resources cuntaining the work "server"
i have tried to look through microsofts documentation, but cannot figure out what to do.
If you don't want the master databases (which are the databases that store system level data in SQL databases, you can simply filter them out:
resources
| where type in ("microsoft.sql/servers/databases","microsoft.dbforpostgresql/servers","microsoft.azuredata/postgresinstances","microsoft.dbformariadb/servers","microsoft.dbformysql/flexibleservers","microsoft.dbformysql/servers","microsoft.dbforpostgresql/flexibleservers","microsoft.dbforpostgresql/servergroups","microsoft.kusto/clusters/databases","microsoft.sql/managedinstances/databases","microsoft.synapse/workspaces/sqldatabases","ravenhq.db/databases","microsoft.documentdb/databaseaccounts")
| where name type != "microsoft.sql/servers/databases" or name != "master"
| summarize Amount=count() by type
Regarding the 2nd question, this should work since the has operator will only match whole tokens (and a slash separates tokens):
resources | where type has "servers"