Azure Quick Review
April 6, 2026 · View on GitHub
Azure Quick Review
Azure Quick Review (azqr) is a powerful command-line interface (CLI) tool that specializes in analyzing Azure resources to ensure compliance with Azure's best practices and recommendations. Its main objective is to offer users a comprehensive overview of their Azure resources, allowing them to easily identify any non-compliant configurations or areas for improvement.
Azure Quick Review Recommendations
Azure Quick Review (azqr) scans your resources with 2 types of recommendations:
- Azure Resource Graph (ARG) queries provided by the Azure Proactive Resiliency Library v2 (APRL) and the Azure Orphaned Resources (https://github.com/dolevshor/azure-orphan-resources) projects
- Azure Resource Manager (ARM) rules built with the Azure Golang SDK
To learn more about the recommendations used by Azure Quick Review (azqr), you can refer to the documentation available here.
Scan Results
The output generated by Azure Quick Review (azqr) is written by default to an Excel file, which contains the following sheets:
Core Sheets (always generated)
- Recommendations: Action plan listing all recommendations with the count of impacted resources.
- ImpactedResources: Resources that have issues to address.
- ResourceTypes: Summary of impacted resource types.
- Inventory: All scanned resources with details (SKU, Tier, Kind, calculated SLA).
- OutOfScope: Resources that were not scanned.
Optional Sheets (enabled by default)
- Advisor: Recommendations from Azure Advisor. Disable with
--stages -advisor. - Defender: Microsoft Defender for Cloud plans and tiers. Disable with
--stages -defender.
Optional Sheets (disabled by default)
- DefenderRecommendations: Defender for Cloud recommendations. Enable with
--stages defender-recommendations. - Azure Policy: Non-compliant resources based on Azure Policy. Enable with
--stages policy. - Arc SQL: Azure Arc-enabled SQL Server instances. Enable with
--stages arc. - Costs: Cost data for the last calendar month. Enable with
--stages cost.
By default, Azure Quick Review (azqr) obfuscates the Subscription Ids in the output to ensure the protection of sensitive information and maintain data privacy and security. If you want to display the Subscription Ids without obfuscation, you can use the
--mask=falseflag when executing the tool.
Azure Quick Review can also generate an csv files with the same information as the excel. To generate the csv files, you can use the
--csvflag when running the tool.
Supported Azure Services
Click to expand supported services (70+ resource types)
| Abbreviation | Resource Type |
|---|---|
| aa | Microsoft.Automation/automationAccounts |
| adf | Microsoft.DataFactory/factories |
| afd | Microsoft.Cdn/profiles |
| afw | Microsoft.Network/azureFirewalls |
| afw | Microsoft.Network/ipGroups |
| agw | Microsoft.Network/applicationGateways |
| aif | Microsoft.CognitiveServices/accounts |
| aks | Microsoft.ContainerService/managedClusters |
| amg | Microsoft.Dashboard/grafana |
| apim | Microsoft.ApiManagement/service |
| appcs | Microsoft.AppConfiguration/configurationStores |
| appi | Microsoft.Insights/components |
| appi | Microsoft.Insights/activityLogAlerts |
| arc | Microsoft.AzureArcData/sqlServerInstances |
| as | Microsoft.AnalysisServices/servers |
| asa | Microsoft.StreamAnalytics/streamingJobs |
| asp | Microsoft.Web/serverFarms |
| asp | Microsoft.Web/sites |
| asp | Microsoft.Web/connections |
| asp | Microsoft.Web/certificates |
| avail | Microsoft.Compute/availabilitySets |
| avd | Specialized.Workload/AVD |
| avs | Microsoft.AVS/privateClouds |
| avs | Specialized.Workload/AVS |
| ba | Microsoft.Batch/batchAccounts |
| bastion | Microsoft.Network/bastionHosts |
| ca | Microsoft.App/containerApps |
| cae | Microsoft.App/managedenvironments |
| ci | Microsoft.ContainerInstance/containerGroups |
| con | Microsoft.Network/connections |
| cosmos | Microsoft.DocumentDB/databaseAccounts |
| cr | Microsoft.ContainerRegistry/registries |
| dbw | Microsoft.Databricks/workspaces |
| ddos | Microsoft.Network/ddosProtectionPlans |
| dec | Microsoft.Kusto/clusters |
| disk | Microsoft.Compute/disks |
| dnsres | Microsoft.Network/dnsResolvers |
| dnsz | Microsoft.Network/dnsZones |
| domain | Microsoft.AAD/domainServices |
| erc | Microsoft.Network/expressRouteCircuits |
| erc | Microsoft.Network/ExpressRoutePorts |
| erc | Microsoft.Network/expressRouteGateways |
| evgd | Microsoft.EventGrid/domains |
| evgt | Microsoft.EventGrid/topics |
| evh | Microsoft.EventHub/namespaces |
| fabric | Microsoft.Fabric/capacities |
| fdfp | Microsoft.Network/frontdoorWebApplicationFirewallPolicies |
| gal | Microsoft.Compute/galleries |
| hpc | Specialized.Workload/HPC |
| hub | Microsoft.MachineLearningServices/workspaces |
| hub | Microsoft.MachineLearningServices/registries |
| iot | Microsoft.Devices/IotHubs |
| it | Microsoft.VirtualMachineImages/imageTemplates |
| kv | Microsoft.KeyVault/vaults |
| lb | Microsoft.Network/loadBalancers |
| log | Microsoft.OperationalInsights/workspaces |
| logic | Microsoft.Logic/workflows |
| mysql | Microsoft.DBforMySQL/servers |
| mysql | Microsoft.DBforMySQL/flexibleServers |
| netapp | Microsoft.NetApp/netAppAccounts |
| ng | Microsoft.Network/natGateways |
| nic | Microsoft.Network/networkInterfaces |
| nsg | Microsoft.Network/networkSecurityGroups |
| ntc | Microsoft.NetworkFunction/azureTrafficCollectors |
| nw | Microsoft.Network/networkWatchers |
| odb | Oracle.Database/cloudExadataInfrastructures |
| odb | Oracle.Database/cloudVmClusters |
| p2svpng | Microsoft.Network/p2sVpnGateways |
| pdnsz | Microsoft.Network/privateDnsZones |
| pep | Microsoft.Network/privateEndpoints |
| pip | Microsoft.Network/publicIPAddresses |
| psql | Microsoft.DBforPostgreSQL/servers |
| psql | Microsoft.DBforPostgreSQL/flexibleServers |
| redis | Microsoft.Cache/Redis |
| redis | Microsoft.Cache/redisEnterprise |
| resource | Microsoft.Resources |
| rg | Microsoft.Resources/resourceGroups |
| rsv | Microsoft.RecoveryServices/vaults |
| rt | Microsoft.Network/routeTables |
| sap | Specialized.Workload/SAP |
| sb | Microsoft.ServiceBus/namespaces |
| sigr | Microsoft.SignalRService/SignalR |
| sql | Microsoft.Sql/servers |
| sql | Microsoft.Sql/servers/databases |
| sql | Microsoft.Sql/servers/elasticPools |
| sqlmi | Microsoft.Sql/managedInstances |
| srch | Microsoft.Search/searchServices |
| st | Microsoft.Storage/storageAccounts |
| sub | Microsoft.Subscription/subscriptions |
| synw | Microsoft.Synapse/workspaces |
| synw | Microsoft.Synapse/workspaces/bigDataPools |
| synw | Microsoft.Synapse/workspaces/sqlPools |
| traf | Microsoft.Network/trafficManagerProfiles |
| vdpool | Microsoft.DesktopVirtualization/hostPools |
| vdpool | Microsoft.DesktopVirtualization/scalingPlans |
| vdpool | Microsoft.DesktopVirtualization/workspaces |
| vgw | Microsoft.Network/virtualNetworkGateways |
| vhub | Microsoft.Network/virtualHubs |
| vm | Microsoft.Compute/virtualMachines |
| vmss | Microsoft.Compute/virtualMachineScaleSets |
| vnet | Microsoft.Network/virtualNetworks |
| vnet | Microsoft.Network/virtualNetworks/subnets |
| vpng | Microsoft.Network/vpnGateways |
| vpns | Microsoft.Network/vpnSites |
| vrouter | Microsoft.Network/virtualRouters |
| vwan | Microsoft.Network/virtualWans |
| wps | Microsoft.SignalRService/webPubSub |
For the full list of resource type abbreviations used in filters, see the Overview documentation.
Installation
Linux / Azure Cloud Shell
bash -c "$(curl -fsSL https://raw.githubusercontent.com/azure/azqr/main/scripts/install.sh)"
Windows
winget install azqr
Or via PowerShell:
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/azure/azqr/main/scripts/install.ps1'))
macOS
brew install azqr
Or download the latest release from the releases page.
Quick Start
# 1. Login to Azure
az login
# 2. Run a scan (scans all accessible subscriptions)
azqr scan
# 3. View results in interactive dashboard
azqr show -f azqr_action_plan_*.xlsx --open
The scan generates an Excel report with recommendations, impacted resources, and an action plan.
Usage
Authentication
Azure Quick Review (azqr) supports the following authentication methods:
- Service Principal. You'll need to set the following environment variables:
- AZURE_CLIENT_ID
- AZURE_CLIENT_SECRET
- AZURE_TENANT_ID
- Azure Managed Identity
- Azure CLI (Using this type of authentication will make scans run slower)
Credential Chain Configuration
Azure Quick Review (azqr) uses the Azure SDK's DefaultAzureCredential which automatically selects the most appropriate credential based on your environment. By default, it tries credentials in order: environment variables, workload identity, managed identity, Azure CLI, and Azure Developer CLI.
You can customize this behavior by setting the AZURE_TOKEN_CREDENTIALS environment variable:
dev- Prioritize Azure CLI (az) or Azure Developer CLI (azd) credentials (recommended for local development)prod- Prioritize environment variables, workload identity, or managed identity (recommended for CI/CD and production)
Authorization
Azure Quick Review (azqr) requires the following permissions:
- Reader over Subscription or Management Group scope (required for all scans)
Cloud Configuration
Azure Quick Review (azqr) supports scanning resources in different Azure cloud environments including Azure Public Cloud, Azure Government, Azure China, and custom cloud configurations.
You can configure the target cloud using environment variables such as AZURE_CLOUD, AZURE_AUTHORITY_HOST, AZURE_RESOURCE_MANAGER_ENDPOINT, and AZURE_RESOURCE_MANAGER_AUDIENCE.
For detailed cloud configuration options and examples, see the Usage section in the documentation.
Running Scans
To find your subscription ID, run az account list --output table.
# Scan all accessible subscriptions
azqr scan
# Scan a specific subscription
azqr scan --subscription-id <subscription_id>
# Scan a management group
azqr scan --management-group-id <management_group_id>
# Scan specific resource group(s)
azqr scan --subscription-id <sub_id> --resource-group <rg_name>
# Scan multiple subscriptions
azqr scan --subscription-id <sub_1> --subscription-id <sub_2>
# Custom output filename
azqr scan --output-name my-report
# Output as JSON or CSV
azqr scan --json
azqr scan --csv
Run azqr -h for all available commands and options.
Interactive Dashboard (show command)
You can explore your scan results with a lightweight embedded web UI using the show command. The dashboard supports both Excel and JSON report formats:
- Generate a report (Excel or JSON):
# Excel format (default)
azqr scan --subscription-id <subscription_id> --output-name report
# JSON format
azqr scan --subscription-id <subscription_id> --output-name report --json
- Launch the dashboard:
# With Excel file
azqr show -f report.xlsx --open
# With JSON file
azqr show -f report.json --open
Controlling Scan Stages
Azure Quick Review allows you to control which scan stages are executed. By default, diagnostics, advisor, and defender stages are enabled.
Available Stages
- advisor: Azure Advisor recommendations
- defender: Microsoft Defender for Cloud status
- defender-recommendations: Microsoft Defender for Cloud recommendations
- arc: Azure Arc-enabled SQL Server instances
- policy: Azure Policy compliance states
- cost: Cost analysis for the last 3 months
- diagnostics: Diagnostic settings scan
Stage Control Examples
# Enable specific stages (replaces defaults)
azqr scan --stages cost --stages policy
# Disable specific stages (keeps other defaults)
azqr scan --stages -diagnostics
# Enable all stages
azqr scan --stages advisor --stages defender --stages defender-recommendations --stages arc --stages policy --stages cost --stages diagnostics
# Disable cost stage only (if you lack permissions)
azqr scan --stages -cost
Advanced Features
Azure Quick Review includes optional internal plugins that provide advanced analytics beyond standard recommendations. Plugins can be run as standalone commands for faster execution or integrated with full scans.
OpenAI Throttling Monitor
Monitors Azure OpenAI and Cognitive Services accounts for throttling (HTTP 429 errors) to identify capacity constraints.
- Tracks throttling by hour, model, and deployment
- Analyzes spillover configuration effectiveness
- Reports request counts by status code
Use Cases: Capacity planning, troubleshooting throttling, optimizing deployment configuration
# Run as standalone command (fast, plugin-only mode)
azqr openai-throttling
# Or integrate with full scan
azqr scan --plugin openai-throttling
Carbon Emissions Tracking
Analyzes carbon emissions by Azure resource type to support sustainability reporting and optimization. Results appear in a dedicated Carbon Emissions sheet in the Excel output (or in pluginResults for JSON).
- Tracks emissions by resource type
- Calculates month-over-month trends
- Aggregates across subscriptions
Use Cases: Sustainability reporting, compliance, environmental impact analysis
# Run as standalone command (fast, plugin-only mode)
azqr carbon-emissions
# Or integrate with full scan
azqr scan --plugin carbon-emissions
Zone Mapping
Retrieves logical-to-physical availability zone mappings for all Azure regions in each subscription.
- Maps logical zones (1, 2, 3) to physical zone identifiers
- Reveals subscription-specific zone mappings
- Essential for multi-subscription architectures
Use Cases: Multi-subscription architecture design, DR planning with zone awareness, zone alignment
# Run as standalone command (fast, plugin-only mode)
azqr zone-mapping
# Compare mappings across subscriptions
azqr zone-mapping --subscription-id sub1 --subscription-id sub2
# Or integrate with full scan
azqr scan --plugin zone-mapping
Internal Plugins Documentation
Combining Features
azqr scan --subscription-id <sub-id> \
--plugin openai-throttling \
--plugin carbon-emissions \
--plugin zone-mapping \
--output-name comprehensive-analysis
Results from all enabled plugins are included in the Excel, JSON, or CSV output.
Plugin commands (e.g.,
azqr openai-throttling) run in optimized plugin-only mode for faster execution, skipping resource and APRL scanning. Useazqr plugins listto see all available plugins.
MCP Server (Model Context Protocol)
Azure Quick Review includes an MCP server that enables AI assistants to interact with azqr functionality:
# Start MCP server in stdio mode (for IDE integration)
azqr mcp
# Start MCP server in HTTP mode (for remote/web access)
azqr mcp --mode http --addr :8080
For detailed MCP configuration, see the Usage documentation.
Filtering Recommendations and more
You can configure Azure Quick Review to include or exclude specific subscriptions or resource groups and also exclude services or recommendations. To do so, create a yaml file with the following format:
azqr:
include:
subscriptions:
- <subscription_id> # format: <subscription_id>
resourceGroups:
- <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
resourceTypes:
- <resource type abbreviation> # format: Abbreviation of the resource type. For example: "vm" for "Microsoft.Compute/virtualMachines"
exclude:
subscriptions:
- <subscription_id> # format: <subscription_id>
resourceGroups:
- <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
services:
- <service_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/<service_provider>/<service_name>
recommendations:
- <recommendation_id> # format: <recommendation_id>
Then run the scan with the --filters flag:
azqr scan --filters <path_to_yaml_file>
Check the rules to get the recommendation ids.
Troubleshooting
General Issues
If you encounter any issue while using Azure Quick Review (azqr), please set the AZURE_SDK_GO_LOGGING environment variable to all, run the tool with the --debug flag and then share the console output with us by filing a new issue.
# Enable full debugging output
export AZURE_SDK_GO_LOGGING=all
azqr scan --debug
Cost Analysis Permission Issues
If you encounter an error related to cost analysis access when running azqr scan, such as:
FTL Failed to query costs error="POST https://management.azure.com/subscriptions/.../providers/Microsoft.CostManagement/query
ERROR CODE: AccountCostDisabled
message: "Access to cost data has been disabled for account admins..."
This occurs when your account has READER permissions but lacks access to cost analysis data.
Note: Cost analysis stage is disabled by default.
Building Locally
Make sure you have Go 1.23.x or higher installed in your environment. You can set GOROOT=<path_to_go_libexec> folder and GOPATH=<path_to_go_dep_folder> if you want to be specific about where to find Go binary and Go dependencies.
git clone git@github.com:Azure/azqr.git
cd azqr
git submodule init
git submodule update --recursive
make
Binary Verification
To verify the authenticity of downloaded binaries, see our Binary Verification Guide.
Support
This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please check our troubleshooting guide.
Please search the existing issues before filing new issues to avoid duplicates.
- For new issues, file your bug or feature request as a new issue.
- For help, discussion, and support questions about using this project, join or start a discussion.
Support for this project / product is limited to the resources listed above.
Contributors
Thanks to everyone who has contributed!
Code of Conduct
This project has adopted the Microsoft Open Source Code of Conduct
Trademark Notice
Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.