List all changes made in your Azure environment in one query using Azure Resource Graph

Azure, resource graph 1 Minute

azure

The kusto query below is using the new ResourceChanges resource, and will give you a list of all changes made in your Azure environment, create, update, delete, automatic or manual, it will all be there. (Where you have access).
This is a great way to keep track of what is happening in and to your environment.

You will get the following info from each change made:

Subcription Name
ChangeTime
ResourceName
ResourceType
ResourceGroup
ChangeType
SubscriptionName
SubscriptionId
TargetResourceId
CorrelationId
ChangeCount
ChangedProperties

This list can get pretty long, so it can be a good idea to filer and sort a bit. Especially on the timeframe (in the sample query, it is set to 7 days).
Filter can be applies to subscription, dates, resource groups, resource name, type, etc.
Example:

| where resourceGroup contains “production”
Will give you only the changes made to RG’s with production in the name.

| where resourceType = “virtualMachines”
Will give you only the changes made to resources of type Virtual Machine.

Open the Azure portal, find ‘Azure Resource Graph Explorer’, then paste the following query in the query windows and hit run.

ResourceChanges
| join kind=inner
   (resourcecontainers
   | where type == 'microsoft.resources/subscriptions'
   | project subscriptionId, subscriptionName = name)
   on subscriptionId
| extend changeTime = todatetime(properties.changeAttributes.timestamp), targetResourceId = tostring(properties.targetResourceId),
changeType = tostring(properties.changeType), correlationId = properties.changeAttributes.correlationId,
changedProperties = properties.changes, changeCount = properties.changeAttributes.changesCount
| extend resourceName = tostring(split(targetResourceId, '/')[-1])
| extend resourceType = tostring(split(targetResourceId, '/')[-2])
| where changeTime > ago(7d)
// Change the time span as preferred, 1d(1 day/24h), 7d, 30d...
| where subscriptionName contains "DevTest" // "" for all subscriptions
| order by changeType asc, changeTime desc
// Change what you sort by as prefered, type, time, subscriptionName, etc.
| project changeTime, resourceName, resourceType, resourceGroup, changeType, subscriptionName, subscriptionId, targetResourceId, 
correlationId, changeCount, changedProperties
ResourceChanges1
As this is a functionality in public preview at the time of posting, the following applies:

Important!
Resource configuration changes is in Public Preview and only supports changes to resource types from the Resources table in Resource Graph. This does not yet include changes to the resource container resources, such as Management groups, Subscriptions, and Resource groups.

Happy resource mining!

References

https://docs.microsoft.com/en-us/azure/governance/resource-graph/how-to/get-resource-changes


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

Advertisement

Published by Thomas Balkeståhl

Yup, this is me!

Published

2 thoughts on “List all changes made in your Azure environment in one query using Azure Resource Graph

  1. Hi Thomas, I refer to your article (List all changes made in your Azure environment in one query using Azure Resource Graph). Looking for a way to run Azure Resource Graph query from Power BI, do you know how ?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s