Azure Resource Graph Examples and Github Repo

Today I’m releasing my Azure Resource Graph examples repo. This has been an internal repo I created and shared internally late 2019. Now everyone gets to benefit!

Bonus, I have taken every query out of my Ultimate Azure Inventory workbook and added them to the repo as well.

TLDR you can find the Azure Resource Graph Examples repo here

Resource Graph Examples Repo

The repo is broken out much like my Azure Inventory Dashboard workbook, by resource types.

Overview queries



Monitor and Security


Orhaned Resources

Resource Tagging


Some of my favorite azure resource graph examples

Finding enabled log analytics solutions on all workspaces. I like this one because Azure Sentinel and Security Center currently aren’t true Azure Resources, they are “solutions” installed on top of Log Analytics.

| where type == "microsoft.operationsmanagement/solutions"
| project, Workspace=tolower(tostring(properties.workspaceResourceId)), subscriptionId
| join kind=leftouter(
| where type =~ 'microsoft.operationalinsights/workspaces'
| project Workspace=tolower(tostring(id)),subscriptionId) on Workspace
| summarize Solutions = strcat_array (make_list(Solution), ",") by Workspace, subscriptionId
| extend AzureSecurityCenter = iif(Solutions has 'Security','Enabled','Not Enabled')
| extend AzureSecurityCenterFree = iif(Solutions has 'SecurityCenterFree','Enabled','Not Enabled')
| extend AzureSentinel = iif(Solutions has "SecurityInsights",'Enabled','Not Enabled')
| extend AzureMonitorVMs = iif(Solutions has "VMInsights",'Enabled','Not Enabled')
| extend ServiceDesk = iif(Solutions has "ITSM Connector",'Enabled','Not Enabled')
| extend AzureAutomation = iif(Solutions has "AzureAutomation",'Enabled','Not Enabled')
| extend ChangeTracking = iif(Solutions has 'ChangeTracking','Enabled','Not Enabled')
| extend UpdateManagement = iif(Solutions has 'Updates','Enabled','Not Enabled')
| extend UpdateCompliance = iif(Solutions has 'WaaSUpdateInsights','Enabled','Not Enabled')
| extend AzureMonitorContainers = iif(Solutions has 'ContainerInsights','Enabled','Not Enabled')
| extend KeyVaultAnalytics = iif(Solutions has 'KeyVaultAnalytics','Enabled','Not Enabled')
| extend SQLHealthCheck = iif(Solutions has 'SQLAssessment','Enabled','Not Enabled')


Joining NICS and PublicIPs with VMs

| where type =~ 'microsoft.compute/virtualmachines'
| extend nics=array_length(properties.networkProfile.networkInterfaces)
| mv-expand nic=properties.networkProfile.networkInterfaces
| where nics == 1 or =~ 'true' or isempty(nic)
| project vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring(
| join kind=leftouter (
| where type =~ ''
| extend ipConfigsCount=array_length(properties.ipConfigurations)
| mv-expand ipconfig=properties.ipConfigurations
| where ipConfigsCount == 1 or =~ 'true'
| project nicId = id, privateIP= tostring(, publicIpId = tostring(, subscriptionId)
on nicId
| project-away nicId1
| summarize by vmId, vmSize, nicId, privateIP, publicIpId, subscriptionId
| join kind=leftouter (
| where type =~ ''
| project publicIpId = id, publicIpAddress = tostring(properties.ipAddress)) on publicIpId
| project-away publicIpId1
| sort by publicIpAddress desc



Please feel free to clone, fork and contribute with your own examples. With the community we are better together.

Leave a Comment