Azure Quick Review (azqr) is a command-line interface (CLI) tool designed to analyze Azure resources and identify those that may or may not comply with Azure best practices and recommendations. It helps users ensure their Azure environments meet established standards for security, performance, and cost-efficiency.
Key Features:
Comprehensive Recommendations: Analyzes resources using three types of recommendations:
Azure Resource Graph (ARG) queries from the Azure Proactive Resiliency Library v2 (APRL).
Azure Resource Manager (ARM) rules built with the Azure Golang SDK.
Orphan resource detection via ARG queries from the Azure Orphan Resources project.
Detailed Output: Results are exported to an Excel file containing multiple sheets, including recommendations, impacted resources, resource types, inventory, Azure Advisor insights, Microsoft Defender for Cloud recommendations, and more.
Cost Analysis: Includes a detailed breakdown of costs associated with scanned subscriptions over the past three months.
Power BI Integration: Generates a Power BI template to visualize scan results, aiding in deeper analysis and reporting.
Customizable Output: Supports generating CSV files and offers options to control data obfuscation (e.g., hiding subscription IDs) for enhanced privacy.
Audience & Benefit:
Ideal for IT professionals, cloud architects, and DevOps engineers who need to ensure Azure environments adhere to best practices. By using azqr, users can optimize resource configurations, reduce operational costs, enhance security compliance, and improve overall environment resilience.
Available via winget for easy installation on Windows systems.
README
Azure Quick Review
Azure Quick Review (azqr) is a powerful command-line interface (CLI) tool that specializes in analyzing Azure resources to ensure compliance with Azure's best practices and recommendations. Its main objective is to offer users a comprehensive overview of their Azure resources, allowing them to easily identify any non-compliant configurations or areas for improvement.
Azure Quick Review Recommendations
Azure Quick Review (azqr) scans your resources with 2 types of recommendations:
Recommendations: Action plan listing all recommendations with the count of impacted resources.
ImpactedResources: Resources that have issues to address.
ResourceTypes: Summary of impacted resource types.
Inventory: All scanned resources with details (SKU, Tier, Kind, calculated SLA).
OutOfScope: Resources that were not scanned.
Optional Sheets (enabled by default)
Advisor: Recommendations from Azure Advisor. Disable with --stages -advisor.
Defender: Microsoft Defender for Cloud plans and tiers. Disable with --stages -defender.
Optional Sheets (disabled by default)
DefenderRecommendations: Defender for Cloud recommendations. Enable with --stages defender-recommendations.
Azure Policy: Non-compliant resources based on Azure Policy. Enable with --stages policy.
Arc SQL: Azure Arc-enabled SQL Server instances. Enable with --stages arc.
Costs: Cost data for the last calendar month. Enable with --stages cost.
> By default, Azure Quick Review (azqr) obfuscates the Subscription Ids in the output to ensure the protection of sensitive information and maintain data privacy and security. If you want to display the Subscription Ids without obfuscation, you can use the --mask=false flag when executing the tool.
> Azure Quick Review can also generate an csv files with the same information as the excel. To generate the csv files, you can use the --csv flag when running the tool.
Supported Azure Services
Click to expand supported services (70+ resource types)
Or download the latest release from the releases page.
Quick Start
# 1. Login to Azure
az login
# 2. Run a scan (scans all accessible subscriptions)
azqr scan
# 3. View results in interactive dashboard
azqr show -f azqr_action_plan_*.xlsx --open
The scan generates an Excel report with recommendations, impacted resources, and an action plan.
Usage
Authentication
Azure Quick Review (azqr) supports the following authentication methods:
Service Principal. You'll need to set the following environment variables:
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
AZURE_TENANT_ID
Azure Managed Identity
Azure CLI (Using this type of authentication will make scans run slower)
Credential Chain Configuration
Azure Quick Review (azqr) uses the Azure SDK's DefaultAzureCredential which automatically selects the most appropriate credential based on your environment. By default, it tries credentials in order: environment variables, workload identity, managed identity, Azure CLI, and Azure Developer CLI.
You can customize this behavior by setting the AZURE_TOKEN_CREDENTIALS environment variable:
dev - Prioritize Azure CLI (az) or Azure Developer CLI (azd) credentials (recommended for local development)
prod - Prioritize environment variables, workload identity, or managed identity (recommended for CI/CD and production)
Authorization
Azure Quick Review (azqr) requires the following permissions:
Reader over Subscription or Management Group scope (required for all scans)
Cloud Configuration
Azure Quick Review (azqr) supports scanning resources in different Azure cloud environments including Azure Public Cloud, Azure Government, Azure China, and custom cloud configurations.
You can configure the target cloud using environment variables such as AZURE_CLOUD, AZURE_AUTHORITY_HOST, AZURE_RESOURCE_MANAGER_ENDPOINT, and AZURE_RESOURCE_MANAGER_AUDIENCE.
> For detailed cloud configuration options and examples, see the Usage section in the documentation.
Running Scans
To find your subscription ID, run az account list --output table.
# Scan all accessible subscriptions
azqr scan
# Scan a specific subscription
azqr scan --subscription-id
# Scan a management group
azqr scan --management-group-id
# Scan specific resource group(s)
azqr scan --subscription-id --resource-group
# Scan multiple subscriptions
azqr scan --subscription-id --subscription-id
# Custom output filename
azqr scan --output-name my-report
# Output as JSON or CSV
azqr scan --json
azqr scan --csv
Run azqr -h for all available commands and options.
Interactive Dashboard (show command)
You can explore your scan results with a lightweight embedded web UI using the show command. The dashboard supports both Excel and JSON report formats:
Generate a report (Excel or JSON):
# Excel format (default)
azqr scan --subscription-id --output-name report
# JSON format
azqr scan --subscription-id --output-name report --json
Launch the dashboard:
# With Excel file
azqr show -f report.xlsx --open
# With JSON file
azqr show -f report.json --open
Controlling Scan Stages
Azure Quick Review allows you to control which scan stages are executed. By default, diagnostics, advisor, and defender stages are enabled.
Available Stages
advisor: Azure Advisor recommendations
defender: Microsoft Defender for Cloud status
defender-recommendations: Microsoft Defender for Cloud recommendations
arc: Azure Arc-enabled SQL Server instances
policy: Azure Policy compliance states
cost: Cost analysis for the last 3 months
diagnostics: Diagnostic settings scan
Stage Control Examples
# Enable specific stages (replaces defaults)
azqr scan --stages cost --stages policy
# Disable specific stages (keeps other defaults)
azqr scan --stages -diagnostics
# Enable all stages
azqr scan --stages advisor --stages defender --stages defender-recommendations --stages arc --stages policy --stages cost --stages diagnostics
# Disable cost stage only (if you lack permissions)
azqr scan --stages -cost
Advanced Features
Azure Quick Review includes optional internal plugins that provide advanced analytics beyond standard recommendations. Plugins can be run as standalone commands for faster execution or integrated with full scans.
OpenAI Throttling Monitor
Monitors Azure OpenAI and Cognitive Services accounts for throttling (HTTP 429 errors) to identify capacity constraints.
Tracks throttling by hour, model, and deployment
Analyzes spillover configuration effectiveness
Reports request counts by status code
Use Cases: Capacity planning, troubleshooting throttling, optimizing deployment configuration
# Run as standalone command (fast, plugin-only mode)
azqr openai-throttling
# Or integrate with full scan
azqr scan --plugin openai-throttling
Carbon Emissions Tracking
Analyzes carbon emissions by Azure resource type to support sustainability reporting and optimization. Results appear in a dedicated Carbon Emissions sheet in the Excel output (or in pluginResults for JSON).
Tracks emissions by resource type
Calculates month-over-month trends
Aggregates across subscriptions
Use Cases: Sustainability reporting, compliance, environmental impact analysis
# Run as standalone command (fast, plugin-only mode)
azqr carbon-emissions
# Or integrate with full scan
azqr scan --plugin carbon-emissions
Zone Mapping
Retrieves logical-to-physical availability zone mappings for all Azure regions in each subscription.
Maps logical zones (1, 2, 3) to physical zone identifiers
Reveals subscription-specific zone mappings
Essential for multi-subscription architectures
Use Cases: Multi-subscription architecture design, DR planning with zone awareness, zone alignment
# Run as standalone command (fast, plugin-only mode)
azqr zone-mapping
# Compare mappings across subscriptions
azqr zone-mapping --subscription-id sub1 --subscription-id sub2
# Or integrate with full scan
azqr scan --plugin zone-mapping
Results from all enabled plugins are included in the Excel, JSON, or CSV output.
> Plugin commands (e.g., azqr openai-throttling) run in optimized plugin-only mode for faster execution, skipping resource and APRL scanning. Use azqr plugins list to see all available plugins.
MCP Server (Model Context Protocol)
Azure Quick Review includes an MCP server that enables AI assistants to interact with azqr functionality:
# Start MCP server in stdio mode (for IDE integration)
azqr mcp
# Start MCP server in HTTP mode (for remote/web access)
azqr mcp --mode http --addr :8080
You can configure Azure Quick Review to include or exclude specific subscriptions or resource groups and also exclude services or recommendations. To do so, create a yaml file with the following format:
If you encounter any issue while using Azure Quick Review (azqr), please set the AZURE_SDK_GO_LOGGING environment variable to all, run the tool with the --debug flag and then share the console output with us by filing a new issue.
# Enable full debugging output
export AZURE_SDK_GO_LOGGING=all
azqr scan --debug
Cost Analysis Permission Issues
If you encounter an error related to cost analysis access when running azqr scan, such as:
FTL Failed to query costs error="POST https://management.azure.com/subscriptions/.../providers/Microsoft.CostManagement/query
ERROR CODE: AccountCostDisabled
message: "Access to cost data has been disabled for account admins..."
This occurs when your account has READER permissions but lacks access to cost analysis data.
> Note: Cost analysis stage is disabled by default.
Building Locally
Make sure you have Go 1.23.x or higher installed in your environment. You can set GOROOT= folder and GOPATH= if you want to be specific about where to find Go binary and Go dependencies.
git clone git@github.com:Azure/azqr.git
cd azqr
git submodule init
git submodule update --recursive
make
> Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.
