https://github.com/azure/azqr
Azure Quick Review
https://github.com/azure/azqr
aprl assessment assessment-tool azqr azure best-practices hacktoberfest hacktoberfest-accepted
Last synced: about 2 months ago
JSON representation
Azure Quick Review
- Host: GitHub
- URL: https://github.com/azure/azqr
- Owner: Azure
- License: mit
- Created: 2022-10-17T09:47:59.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2026-03-03T07:02:13.000Z (about 2 months ago)
- Last Synced: 2026-03-03T10:47:17.700Z (about 2 months ago)
- Topics: aprl, assessment, assessment-tool, azqr, azure, best-practices, hacktoberfest, hacktoberfest-accepted
- Language: Go
- Homepage: https://azure.github.io/azqr
- Size: 30 MB
- Stars: 743
- Watchers: 14
- Forks: 133
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
[](https://github.com/Azure/azqr/actions/workflows/build.yaml)
[](https://github.com/Azure/azqr/actions/workflows/codeql.yml)
[]()
[](https://codecov.io/gh/Azure/azqr)
[](https://www.bestpractices.dev/projects/9896)
[](http://isitmaintained.com/project/Azure/azqr "Average time to resolve an issue")
[](http://isitmaintained.com/project/Azure/azqr "Percentage of issues still open")
# Azure Quick Review
[](https://vscode.dev/github/Azure/azqr)
**Azure Quick Review (azqr)** is a powerful command-line interface (CLI) tool that specializes in analyzing Azure resources to ensure compliance with Azure's best practices and recommendations. Its main objective is to offer users a comprehensive overview of their Azure resources, allowing them to easily identify any non-compliant configurations or areas for improvement.
## Azure Quick Review Recommendations
**Azure Quick Review (azqr)** scans your resources with 2 types of recommendations:
* **Azure Resource Graph (ARG)** queries provided by the [Azure Proactive Resiliency Library v2 (APRL)](https://aka.ms/aprl) and the Azure Orphaned Resources (https://github.com/dolevshor/azure-orphan-resources) projects
* **Azure Resource Manager (ARM)** rules built with the Azure Golang SDK
To learn more about the recommendations used by **Azure Quick Review (azqr)**, you can refer to the documentation available [here](https://azure.github.io/azqr/docs/recommendations/).
## Scan Results
The output generated by **Azure Quick Review (azqr)** is written by default to an Excel file, which contains the following sheets:
* **Recommendations**: a list with all recommendations with the number of resources that are impacted. You can use this table as an action plan to improve the compliance of your resources.
* **ImpactedResources**: a list with all resources that are impacted. You can use this table to identify resources that have issues that need to be addressed.
* **ResourceTypes**: a list of impacted resource types.
* **Inventory**: a list of all resources scanned by the tool. Here you'll find details such as SKU, Tier, Kind or calculated SLA.
* **Advisor**: a list of recommendations provided by Azure Advisor.
* **Azure Policy**: a list of non-compliant resources based on Azure Policy states.
* **Arc SQL**: a list of Azure Arc-enabled SQL Server instances with extension installation status, licensing, and feature enablement details.
* **DefenderRecommendations**: a list of recommendations provided by Microsoft Defender for Cloud.
* **OutOfScope**: a list of resources that were not scanned.
* **Defender**: a list of Microsoft Defender for Cloud plans and their tiers.
* **Costs**: a list of costs associated with the scanned subscription for the last 3 months.
> By default, Azure Quick Review (azqr) obfuscates the Subscription Ids in the output to ensure the protection of sensitive information and maintain data privacy and security. If you want to display the Subscription Ids without obfuscation, you can use the `--mask=false` flag when executing the tool.
> Azure Quick Review can also generate an csv files with the same information as the excel. To generate the csv files, you can use the `--csv` flag when running the tool.
## Supported Azure Services
**Azure Quick Review (azqr)** currently supports the following Azure services:
Abbreviation | Resource Type
---|---
aa | Microsoft.Automation/automationAccounts
adf | Microsoft.DataFactory/factories
afd | Microsoft.Cdn/profiles
afw | Microsoft.Network/azureFirewalls
afw | Microsoft.Network/ipGroups
agw | Microsoft.Network/applicationGateways
aif | Microsoft.CognitiveServices/accounts
aks | Microsoft.ContainerService/managedClusters
amg | Microsoft.Dashboard/grafana
apim | Microsoft.ApiManagement/service
appcs | Microsoft.AppConfiguration/configurationStores
appi | Microsoft.Insights/components
appi | Microsoft.Insights/activityLogAlerts
arc | Microsoft.HybridCompute/machines
as | Microsoft.AnalysisServices/servers
asp | Microsoft.Web/serverFarms
asp | Microsoft.Web/sites
asp | Microsoft.Web/connections
asp | Microsoft.Web/certificates
avail | Microsoft.Compute/availabilitySets
avd | Specialized.Workload/AVD
avs | Microsoft.AVS/privateClouds
avs | Specialized.Workload/AVS
ba | Microsoft.Batch/batchAccounts
ca | Microsoft.App/containerApps
cae | Microsoft.App/managedenvironments
ci | Microsoft.ContainerInstance/containerGroups
con | Microsoft.Network/connections
cosmos | Microsoft.DocumentDB/databaseAccounts
cr | Microsoft.ContainerRegistry/registries
dbw | Microsoft.Databricks/workspaces
dec | Microsoft.Kusto/clusters
disk | Microsoft.Compute/disks
erc | Microsoft.Network/expressRouteCircuits
erc | Microsoft.Network/ExpressRoutePorts
evgd | Microsoft.EventGrid/domains
evh | Microsoft.EventHub/namespaces
fabric | Microsoft.Fabric/capacities
fdfp | Microsoft.Network/frontdoorWebApplicationFirewallPolicies
gal | Microsoft.Compute/galleries
hpc | Specialized.Workload/HPC
hub | Microsoft.MachineLearningServices/workspaces
iot | Microsoft.Devices/IotHubs
it | Microsoft.VirtualMachineImages/imageTemplates
kv | Microsoft.KeyVault/vaults
lb | Microsoft.Network/loadBalancers
log | Microsoft.OperationalInsights/workspaces
logic | Microsoft.Logic/workflows
maria | Microsoft.DBforMariaDB/servers
maria | Microsoft.DBforMariaDB/servers/databases
mysql | Microsoft.DBforMySQL/servers
mysql | Microsoft.DBforMySQL/flexibleServers
netapp | Microsoft.NetApp/netAppAccounts
ng | Microsoft.Network/natGateways
nic | Microsoft.Network/networkInterfaces
nsg | Microsoft.Network/networkSecurityGroups
nw | Microsoft.Network/networkWatchers
odb | Oracle.Database/cloudExadataInfrastructures
odb | Oracle.Database/cloudVmClusters
pdnsz | Microsoft.Network/privateDnsZones
pep | Microsoft.Network/privateEndpoints
pip | Microsoft.Network/publicIPAddresses
psql | Microsoft.DBforPostgreSQL/servers
psql | Microsoft.DBforPostgreSQL/flexibleServers
redis | Microsoft.Cache/Redis
rg | Microsoft.Resources/resourceGroups
rsv | Microsoft.RecoveryServices/vaults
rt | Microsoft.Network/routeTables
sap | Specialized.Workload/SAP
sb | Microsoft.ServiceBus/namespaces
sigr | Microsoft.SignalRService/SignalR
sql | Microsoft.Sql/servers
sql | Microsoft.Sql/servers/databases
sql | Microsoft.Sql/servers/elasticPools
srch | Microsoft.Search/searchServices
st | Microsoft.Storage/storageAccounts
synw | Microsoft.Synapse/workspaces
synw | Microsoft.Synapse workspaces/bigDataPools
synw | Microsoft.Synapse/workspaces/sqlPools
traf | Microsoft.Network/trafficManagerProfiles
vdpool | Microsoft.DesktopVirtualization/hostPools
vdpool | Microsoft.DesktopVirtualization/scalingPlans
vdpool | Microsoft.DesktopVirtualization/workspaces
vgw | Microsoft.Network/virtualNetworkGateways
vm | Microsoft.Compute/virtualMachines
vmss | Microsoft.Compute/virtualMachineScaleSets
vnet | Microsoft.Network/virtualNetworks
vnet | Microsoft.Network/virtualNetworks/subnets
vwan | Microsoft.Network/virtualWans
wps | Microsoft.SignalRService/webPubSub
## Usage
### Install on Linux or Azure Cloud Shell (Bash)
```bash
bash -c "$(curl -fsSL https://raw.githubusercontent.com/azure/azqr/main/scripts/install.sh)"
```
### Install on Windows
Use `winget`:
```console
winget install azqr
```
or download the executable file:
```
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/azure/azqr/main/scripts/install.ps1'))
```
### Install on Mac
Use `homebrew`:
```console
brew install azqr
```
or download the latest release from [here](https://github.com/Azure/azqr/releases).
### Authentication
**Azure Quick Review (azqr)** supports the following authentication methods:
* Service Principal. You'll need to set the following environment variables:
* AZURE_CLIENT_ID
* AZURE_CLIENT_SECRET
* AZURE_TENANT_ID
* Azure Managed Identity
* Azure CLI (Using this type of authentication will make scans run slower)
### Credential Chain Configuration
**Azure Quick Review (azqr)** uses the Azure SDK's `DefaultAzureCredential` which automatically selects the most appropriate credential based on your environment. You can customize the credential chain behavior by setting the `AZURE_TOKEN_CREDENTIALS` environment variable.
**Development environments:**
Set `AZURE_TOKEN_CREDENTIALS=dev` to use Azure CLI (`az`) or Azure Developer CLI (`azd`) credentials.
**Production environments:**
Set `AZURE_TOKEN_CREDENTIALS=pros` to use environment variables, workload identity, or managed identity credentials.
### Authorization
**Azure Quick Review (azqr)** requires the following permissions:
* Reader over Subscription or Management Group scope
### Cloud Configuration
**Azure Quick Review (azqr)** supports scanning resources in different Azure cloud environments including Azure Public Cloud, Azure Government, Azure China, and custom cloud configurations.
You can configure the target cloud using environment variables such as `AZURE_CLOUD`, `AZURE_AUTHORITY_HOST`, `AZURE_RESOURCE_MANAGER_ENDPOINT`, and `AZURE_RESOURCE_MANAGER_AUDIENCE`.
> For detailed cloud configuration options and examples, see the [Usage section](https://azure.github.io/azqr/docs/usage/) in the documentation.
### Running the Scan
To scan all resources in all subscription run:
```bash
./azqr scan
```
To scan all resources in a specific management group run:
```bash
./azqr scan --management-group-id
```
To scan all resources in a specific subscription run:
```bash
./azqr scan -s
```
To scan a specific resource group in a specific subscription run:
```bash
./azqr scan -s -g
```
For information on available commands and help run:
```bash
./azqr -h
```
### Interactive Dashboard (show command)
You can explore your scan results with a lightweight embedded web UI using the `show` command. The dashboard supports both Excel and JSON report formats:
1. Generate a report (Excel or JSON):
```bash
# Excel format (default)
./azqr scan -s --output-name report
# JSON format
./azqr scan -s --output-name report --json
```
2. Launch the dashboard:
```bash
# With Excel file
./azqr show -f report.xlsx --open
# With JSON file
./azqr show -f report.json --open
```
### Compare Scan Reports (compare command)
You can compare two azqr scan reports to identify differences in recommendations and resources using the `compare` command:
```bash
# Compare two Excel reports
./azqr compare --file1 scan_before.xlsx --file2 scan_after.xlsx
# Save comparison results to a file
./azqr compare --file1 scan1.xlsx --file2 scan2.xlsx --output comparison.txt
```
## Advanced Features
Azure Quick Review includes optional **internal plugins** that provide advanced analytics beyond standard recommendations. Plugins can be run as standalone commands for faster execution or integrated with full scans.
### OpenAI Throttling Monitor
Monitors Azure OpenAI and Cognitive Services accounts for throttling (HTTP 429 errors) to identify capacity constraints.
- Tracks throttling by hour, model, and deployment
- Analyzes spillover configuration effectiveness
- Reports request counts by status code
**Use Cases**: Capacity planning, troubleshooting throttling, optimizing deployment configuration
```bash
# Run as standalone command (fast, plugin-only mode)
./azqr openai-throttling
# Or integrate with full scan
./azqr scan --plugin openai-throttling
```
### Carbon Emissions Tracking
Analyzes carbon emissions by Azure resource type to support sustainability reporting and optimization.
- Tracks emissions by resource type
- Calculates month-over-month trends
- Aggregates across subscriptions
**Use Cases**: Sustainability reporting, compliance, environmental impact analysis
```bash
# Run as standalone command (fast, plugin-only mode)
./azqr carbon-emissions
# Or integrate with full scan
./azqr scan --plugin carbon-emissions
```
### Zone Mapping
Retrieves logical-to-physical availability zone mappings for all Azure regions in each subscription.
- Maps logical zones (1, 2, 3) to physical zone identifiers
- Reveals subscription-specific zone mappings
- Essential for multi-subscription architectures
**Use Cases**: Multi-subscription architecture design, DR planning with zone awareness, zone alignment
```bash
# Run as standalone command (fast, plugin-only mode)
./azqr zone-mapping
# Compare mappings across subscriptions
./azqr zone-mapping --subscription-id sub1 --subscription-id sub2
# Or integrate with full scan
./azqr scan --plugin zone-mapping
```
[📖 Full Documentation](https://azure.github.io/azqr/docs/plugins/zone-mapping/)
### Combining Features
```bash
# Run multiple plugins as standalone commands (fastest)
./azqr openai-throttling
./azqr carbon-emissions
./azqr zone-mapping
# Or run multiple plugins with a full scan
./azqr scan --subscription-id \
--plugin openai-throttling \
--plugin carbon-emissions \
--plugin zone-mapping \
--output-name comprehensive-analysis
```
Results from all enabled plugins are included in the Excel, JSON, or CSV output.
> 💡 **Tip**: Plugin commands (e.g., `azqr openai-throttling`) run in optimized plugin-only mode for faster execution, skipping resource and APRL scanning. Use `azqr plugins list` to see all available plugins.
[📖 Internal Plugins Documentation](https://azure.github.io/azqr/docs/plugins/internal-plugins/)
## Binary Verification
To verify the authenticity of downloaded binaries, see our [Binary Verification Guide](SECURITY_VERIFICATION.md).
## Filtering Recommendations and more
You can configure Azure Quick Review to include or exclude specific subscriptions or resource groups and also exclude services or recommendations. To do so, create a `yaml` file with the following format:
```yaml
azqr:
include:
subscriptions:
- # format:
resourceGroups:
- # format: /subscriptions//resourceGroups/
resourceTypes:
- # format: Abbreviation of the resource type. For example: "vm" for "Microsoft.Compute/virtualMachines"
exclude:
subscriptions:
- # format:
resourceGroups:
- # format: /subscriptions//resourceGroups/
services:
- # format: /subscriptions//resourceGroups//providers//
recommendations:
- # format:
```
Then run the scan with the `--filters` flag:
```bash
./azqr scan --filters
```
> Check the [rules](https://azure.github.io/azqr/docs/recommendations/) to get the recommendation ids.
## Troubleshooting
### General Issues
If you encounter any issue while using **Azure Quick Review (azqr)**, please set the `AZURE_SDK_GO_LOGGING` environment variable to `all`, run the tool with the `--debug` flag and then share the console output with us by filing a new [issue](https://github.com/Azure/azqr/issues).
### Cost Analysis Permission Issues
If you encounter an error related to cost analysis access when running `azqr scan`, such as:
```
FTL Failed to query costs error="POST https://management.azure.com/subscriptions/.../providers/Microsoft.CostManagement/query
ERROR CODE: AccountCostDisabled
message: "Access to cost data has been disabled for account admins..."
```
This occurs when your account has READER permissions but lacks access to cost analysis data. Azure Cost Management requires specific permissions beyond standard READER access.
**Solution:**
**Disable cost scanning** by using the `-c=false` flag:
```bash
azqr scan -c=false
```
This will skip cost analysis and generate a complete report with all other Azure resource recommendations.
**Note:** Cost analysis provides valuable insights into resource spending over the last 3 months, but it's optional for security and compliance recommendations.
## Building Locally
Make sure you have `Go 1.23.x` or higher installed in your environment. You can set `GOROOT= folder` and `GOPATH=` if you want to be specific about where to find Go binary and Go dependencies.
```bash
git clone git@github.com:Azure/azqr.git
cd azqr
git submodule init
git submodule update --recursive
make
```
## Support
This project uses GitHub Issues to track bugs and feature requests.
Before logging an issue please check our [troubleshooting](#troubleshooting) guide.
Please search the existing issues before filing new issues to avoid duplicates.
- For new issues, file your bug or feature request as a new [issue](https://github.com/Azure/azqr/issues).
- For help, discussion, and support questions about using this project, join or start a [discussion](https://github.com/Azure/azqr/discussions).
Support for this project / product is limited to the resources listed above.
## Contributors
Thanks to everyone who has contributed!
## Code of Conduct
This project has adopted the [Microsoft Open Source Code of Conduct](CODE_OF_CONDUCT.md)
## Trademark Notice
> **Trademarks** This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.