Azure Quick Review (azqr) is a powerful command-line interface (CLI) tool that specializes in analyzing Azure resources to ensure compliance with Azure's best practices and recommendations. Its main objective is to offer users a comprehensive overview of their Azure resources, allowing them to easily identify any non-compliant configurations or areas for improvement.

Azure Quick Review (azqr) scans your resources with 2 types of recommendations:

• Azure Resource Graph (ARG) queries provided by the Azure Proactive Resiliency Library v2 (APRL) and the Azure Orphaned Resources (https://github.com/dolevshor/azure-orphan-resources) projects
• Azure Resource Manager (ARM) rules built with the Azure Golang SDK

To learn more about the recommendations used by Azure Quick Review (azqr), you can refer to the documentation available here.

The output generated by Azure Quick Review (azqr) is written by default to an Excel file, which contains the following sheets:

• Recommendations: Action plan listing all recommendations with the count of impacted resources.
• ImpactedResources: Resources that have issues to address.
• ResourceTypes: Summary of impacted resource types.
• Inventory: All scanned resources with details (SKU, Tier, Kind, calculated SLA).
• OutOfScope: Resources that were not scanned.

• Advisor: Recommendations from Azure Advisor. Disable with --stages -advisor.
• Defender: Microsoft Defender for Cloud plans and tiers. Disable with --stages -defender.

• DefenderRecommendations: Defender for Cloud recommendations. Enable with --stages defender-recommendations.
• Azure Policy: Non-compliant resources based on Azure Policy. Enable with --stages policy.
• Arc SQL: Azure Arc-enabled SQL Server instances. Enable with --stages arc.
• Costs: Cost data for the last calendar month. Enable with --stages cost.

By default, Azure Quick Review (azqr) obfuscates the Subscription Ids in the output to ensure the protection of sensitive information and maintain data privacy and security. If you want to display the Subscription Ids without obfuscation, you can use the --mask=false flag when executing the tool.

Azure Quick Review can also generate an csv files with the same information as the excel. To generate the csv files, you can use the --csv flag when running the tool.

For the full list of resource type abbreviations used in filters, see the Overview documentation.

bash -c "$(curl -fsSL https://raw.githubusercontent.com/azure/azqr/main/scripts/install.sh)"

winget install azqr

Or via PowerShell:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/azure/azqr/main/scripts/install.ps1'))

brew install azqr

Or download the latest release from the releases page.

# 1. Login to Azure
az login

# 2. Run a scan (scans all accessible subscriptions)
azqr scan

# 3. View results in interactive dashboard
azqr show -f azqr_action_plan_*.xlsx --open

The scan generates an Excel report with recommendations, impacted resources, and an action plan.

Azure Quick Review (azqr) supports the following authentication methods:

• Service Principal. You'll need to set the following environment variables:
  • AZURE_CLIENT_ID
  • AZURE_CLIENT_SECRET
  • AZURE_TENANT_ID
• Azure Managed Identity
• Azure CLI (Using this type of authentication will make scans run slower)

Azure Quick Review (azqr) uses the Azure SDK's DefaultAzureCredential which automatically selects the most appropriate credential based on your environment. By default, it tries credentials in order: environment variables, workload identity, managed identity, Azure CLI, and Azure Developer CLI.

You can customize this behavior by setting the AZURE_TOKEN_CREDENTIALS environment variable:

• dev - Prioritize Azure CLI (az) or Azure Developer CLI (azd) credentials (recommended for local development)
• prod - Prioritize environment variables, workload identity, or managed identity (recommended for CI/CD and production)

Azure Quick Review (azqr) requires the following permissions:

• Reader over Subscription or Management Group scope (required for all scans)

Azure Quick Review (azqr) supports scanning resources in different Azure cloud environments including Azure Public Cloud, Azure Government, Azure China, and custom cloud configurations.

You can configure the target cloud using environment variables such as AZURE_CLOUD, AZURE_AUTHORITY_HOST, AZURE_RESOURCE_MANAGER_ENDPOINT, and AZURE_RESOURCE_MANAGER_AUDIENCE.

For detailed cloud configuration options and examples, see the Usage section in the documentation.

To find your subscription ID, run az account list --output table.

# Scan all accessible subscriptions
azqr scan

# Scan a specific subscription
azqr scan --subscription-id <subscription_id>

# Scan a management group
azqr scan --management-group-id <management_group_id>

# Scan specific resource group(s)
azqr scan --subscription-id <sub_id> --resource-group <rg_name>

# Scan multiple subscriptions
azqr scan --subscription-id <sub_1> --subscription-id <sub_2>

# Custom output filename
azqr scan --output-name my-report

# Output as JSON or CSV
azqr scan --json
azqr scan --csv

Run azqr -h for all available commands and options.

You can explore your scan results with a lightweight embedded web UI using the show command. The dashboard supports both Excel and JSON report formats:

1. Generate a report (Excel or JSON):

# Excel format (default)
azqr scan --subscription-id <subscription_id> --output-name report

# JSON format
azqr scan --subscription-id <subscription_id> --output-name report --json

2. Launch the dashboard:

# With Excel file
azqr show -f report.xlsx --open

# With JSON file
azqr show -f report.json --open

Azure Quick Review allows you to control which scan stages are executed. By default, diagnostics, advisor, and defender stages are enabled.

• advisor: Azure Advisor recommendations
• defender: Microsoft Defender for Cloud status
• defender-recommendations: Microsoft Defender for Cloud recommendations
• arc: Azure Arc-enabled SQL Server instances
• policy: Azure Policy compliance states
• cost: Cost analysis for the last 3 months
• diagnostics: Diagnostic settings scan

# Enable specific stages (replaces defaults)
azqr scan --stages cost --stages policy

# Disable specific stages (keeps other defaults)
azqr scan --stages -diagnostics

# Enable all stages
azqr scan --stages advisor --stages defender --stages defender-recommendations --stages arc --stages policy --stages cost --stages diagnostics

# Disable cost stage only (if you lack permissions)
azqr scan --stages -cost

Azure Quick Review includes optional internal plugins that provide advanced analytics beyond standard recommendations. Plugins can be run as standalone commands for faster execution or integrated with full scans.

Monitors Azure OpenAI and Cognitive Services accounts for throttling (HTTP 429 errors) to identify capacity constraints.

• Tracks throttling by hour, model, and deployment
• Analyzes spillover configuration effectiveness
• Reports request counts by status code

Use Cases: Capacity planning, troubleshooting throttling, optimizing deployment configuration

# Run as standalone command (fast, plugin-only mode)
azqr openai-throttling

# Or integrate with full scan
azqr scan --plugin openai-throttling

Analyzes carbon emissions by Azure resource type to support sustainability reporting and optimization. Results appear in a dedicated Carbon Emissions sheet in the Excel output (or in pluginResults for JSON).

• Tracks emissions by resource type
• Calculates month-over-month trends
• Aggregates across subscriptions

Use Cases: Sustainability reporting, compliance, environmental impact analysis

# Run as standalone command (fast, plugin-only mode)
azqr carbon-emissions

# Or integrate with full scan
azqr scan --plugin carbon-emissions

Retrieves logical-to-physical availability zone mappings for all Azure regions in each subscription.

• Maps logical zones (1, 2, 3) to physical zone identifiers
• Reveals subscription-specific zone mappings
• Essential for multi-subscription architectures

Use Cases: Multi-subscription architecture design, DR planning with zone awareness, zone alignment

# Run as standalone command (fast, plugin-only mode)
azqr zone-mapping

# Compare mappings across subscriptions
azqr zone-mapping --subscription-id sub1 --subscription-id sub2

# Or integrate with full scan
azqr scan --plugin zone-mapping

Internal Plugins Documentation

azqr scan --subscription-id <sub-id> \
  --plugin openai-throttling \
  --plugin carbon-emissions \
  --plugin zone-mapping \
  --output-name comprehensive-analysis

Results from all enabled plugins are included in the Excel, JSON, or CSV output.

Plugin commands (e.g., azqr openai-throttling) run in optimized plugin-only mode for faster execution, skipping resource and APRL scanning. Use azqr plugins list to see all available plugins.

Azure Quick Review includes an MCP server that enables AI assistants to interact with azqr functionality:

# Start MCP server in stdio mode (for IDE integration)
azqr mcp

# Start MCP server in HTTP mode (for remote/web access)
azqr mcp --mode http --addr :8080

For detailed MCP configuration, see the Usage documentation.

You can configure Azure Quick Review to include or exclude specific subscriptions or resource groups and also exclude services or recommendations. To do so, create a yaml file with the following format:

azqr:
  include:
    subscriptions:
      - <subscription_id> # format: <subscription_id>
    resourceGroups:
      - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
    resourceTypes:
      - <resource type abbreviation> # format: Abbreviation of the resource type. For example: "vm" for "Microsoft.Compute/virtualMachines"
  exclude:
    subscriptions:
      - <subscription_id> # format: <subscription_id>
    resourceGroups:
      - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
    services:
      - <service_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/<service_provider>/<service_name>
    recommendations:
      - <recommendation_id> # format: <recommendation_id>

Then run the scan with the --filters flag:

azqr scan --filters <path_to_yaml_file>

Check the rules to get the recommendation ids.

If you encounter any issue while using Azure Quick Review (azqr), please set the AZURE_SDK_GO_LOGGING environment variable to all, run the tool with the --debug flag and then share the console output with us by filing a new issue.

# Enable full debugging output
export AZURE_SDK_GO_LOGGING=all
azqr scan --debug

If you encounter an error related to cost analysis access when running azqr scan, such as:

FTL Failed to query costs error="POST https://management.azure.com/subscriptions/.../providers/Microsoft.CostManagement/query
ERROR CODE: AccountCostDisabled
message: "Access to cost data has been disabled for account admins..."

This occurs when your account has READER permissions but lacks access to cost analysis data.

Note: Cost analysis stage is disabled by default.

Make sure you have Go 1.23.x or higher installed in your environment. You can set GOROOT=<path_to_go_libexec> folder and GOPATH=<path_to_go_dep_folder> if you want to be specific about where to find Go binary and Go dependencies.

   git clone git@github.com:Azure/azqr.git
   cd azqr
   git submodule init
   git submodule update --recursive
   make

To verify the authenticity of downloaded binaries, see our Binary Verification Guide.

This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please check our troubleshooting guide.

Please search the existing issues before filing new issues to avoid duplicates.

• For new issues, file your bug or feature request as a new issue.
• For help, discussion, and support questions about using this project, join or start a discussion.

Support for this project / product is limited to the resources listed above.

Thanks to everyone who has contributed!

This project has adopted the Microsoft Open Source Code of Conduct

Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.