Querying Azure Resource Graph for Resource Configuration Changes

Azure's Resource Configuration Changes feature has been in public preview for a few days now and I thought we should give it a try and see what it has to offer!

Resource Configuration Changes aims to provide more information on changes applied to Azure resources through Resource Graph Explorer. 

If you search for "Resource Graph" in the Azure Portal search, one of the results will be Resource Graph Explorer:


The look and feel of the Resource Graph Explorer is pretty similar to Log Analytics workspaces:

On the left, we have the tables we can query and in the middle is the well-known query window, where we type and execute our queries.

To get information about the changes that have been applied to Azure resources, we'll be querying the 
resourcechanges namespace:

We can see the available properties to query against by starting with a simple where clause. Let's get all the changes in a specific subscription:

As you can imagine, this query will return a very large dataset. The way I find it easier to filter the results is by the id of the resource that we're interested in or the resource group.

If you know the id of the resource you'd like to know more about, you can use it in the filter like below:

Here we've also projected the properties property of the result to get the information regarding the change that has been applied. If you click on the See details button, a window will pop up and show the JSON data in a more readable format.
In this case, the only change we have is the creation of the vNet resource.

I have now added a subnet to the vNet and we're going to use the very same query to get the changes. Hopefully, there will be another row in the results that will show the update:

As you can see in the result, a change was performed by a user where a new subnet property has been inserted into the specific resource.

You may be wondering why I'm using the startswith verb in the query. It's because I do not want to miss any resources that may be child resources of the resource in question. Knowing the way identities are assigned in Azure, the id of a child resource always starts with the id of the parent.

More information on this new feature is available over here. This documentation link also contains some useful query examples that will get you started, like the changes during the last day or the deletions in a resource group. 

Popular posts from this blog

Domain Controller Machine Password Reset

Image
On my lab environment, I've configured two Active Directory sites since most enterprises have offices in more that one places. My lab however is not running 24/7 and the domain controllers in the second site are rarely turned on in order to save resources. This leads to issues with the Active Directory replication such as the "The target principal name is incorrect" error when I execute:  repadmin /syncall /AdeP. To remedy the issue, we have to reset the machine password of the domain controller that has been offline. First off, we are going to stop and disable the Kerberos Key Distribution Center (kdc) service on the problematic domain controller, in our case DC4. There may be some tickets in the cache so we should also clear them using klist purge Now it's time to change the machine password of the domain controller using the command netdom resetpwd /s:dc3 /ud:lab\administrator /pd:* Replace the "lab\administrator" with an account on your
Keep reading

Configuring a Certificate on Exchange Receive Connector

Today's article is about configuring Exchange receive connectors with specific certificates. Out of the box, Exchange uses self signed certificates to provide TLS secured mail flow. This will definitely be an issue if you expose the SMTP protocol to client computers since they won't trust the certificate. In this article we are going to configure a certificate that was issued by a third part authority to the Client Frontend receive connector. We'll start with getting the thumbprint of the certificate using the Get-ExchangeCertificate cmdlet: [PS] C:\> Get-ExchangeCertificate Thumbprint                               Subject ----------                               ------- 241B864DC82C664FECBA18B8D54987AAFB65B4C2 CN=*.lab.com, ... D4D210886B34E690191A1F008C78FDD0E7325DD4 CN=Exchange2013A 960171662EB261162F9C8CBE12E0B75D6F06ABB0 CN=Microsoft Exchange Server Auth Certificate 2690324B827A9F2B75D59104F81CAAA57CDD627B CN=WMSvc-Exchange2013A [PS]
Keep reading

Running Multiple NGINX Ingress Controllers in AKS

Image
In some of the previous articles of this blog, we went through the process of installing NGINX as the Ingress Controller in AKS clusters. Either for applications that should be available directly from the public internet, or for applications that should only be accessed from networks considered internal. In the majority of the cases, however, and given that an AKS cluster is an environment that is designed to host multiple applications and provide economy at scale, additional ingress controllers may be required. In this post, we're going to go through the process of deploying an additional NGINX ingress controller that is going to be used for internal applications. The below diagram depicts the desired outcome: The Angular application is published via the public NGINX through the Azure Load Balancer that has been assigned a public IP. The .NET app is published by a different set of NGINX pods that are deployed in a different namespace and their ingress controller service is connect
Keep reading