question

ignatiev avatar image
0 Votes"
ignatiev asked ignatiev commented

Get correct property values in Azure Resource Graph Explorer

Sorry, I am not sure where to post questions about Azure Resource Graph Explorer

I am trying to get the list of resources with .NET Framework configuration values with Azure Resource Graph Explorer. As in the policy definition "Ensure that '.NET Framework' version is the latest, if used as a part of the API app" but I am unable to query "Microsoft.Web/sites/config" type. In the same time, when I query just for "Microsoft.Web/sites" I am getting "null" values everywhere.

Thank you for any advise!

Just for information :

My Web Apps query :

resources
| where type == "microsoft.web/sites"

Policy Definition :

{
"properties": {
"displayName": "Ensure that '.NET Framework' version is the latest, if used as a part of the API app",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version.",
"metadata": {
"version": "1.0.0",
"category": "App Service"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites"
},
{
"field": "kind",
"like": "*api"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Web/sites/config",
"name": "web",
"existenceCondition": {
"field": "Microsoft.Web/sites/config/web.netFrameworkVersion",
"in": [
"v3.0",
"v4.0"
]
}
}
}
}
}
}

azure-webapps
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

tbgangav-MSFT avatar image
0 Votes"
tbgangav-MSFT answered ignatiev commented

Hi ignatiev,

Thanks for reaching out!

netFrameworkVersion is provided under siteConfig properties so you may have to create a column for it (say netFrameworkVersion) using extend operator. Hence the query would look like:

 resources
 | where type == "microsoft.web/sites" and kind == "app"
 | extend netFrameworkVersion = tostring(properties.['siteConfig'].netFrameworkVersion)

But AFAIK netFrameworkVersion property in resource graph explorer is currently always showing as null irrespective of different values a site config would have. @ajkuma-MSFT FYI.

9243-rge2.png

9244-rge3.png

However, as a workaround you may leverage Az PowerShell cmdlet Get-AzWebApp. Below is the command you may execute to get all webapps that has netFrameworkVersion either v4.0 or v3.0

 $WebApps = Get-AzWebApp |?{$_.ResourceGroupName -like "*"}
 foreach($WebApp in $WebApps){
 $WebAppResourceGroup = $WebApp.ResourceGroup
 $WebAppName = $WebApp.Name
 Get-AzWebApp -ResourceGroupName $WebAppResourceGroup -Name $WebAppName | ?{$_.SiteConfig.NetFrameworkVersion -eq "v4.0" -or $_.SiteConfig.NetFrameworkVersion -eq "v3.0"}
 }

9089-rge4.png



rge2.png (64.2 KiB)
rge3.png (73.3 KiB)
rge4.png (50.1 KiB)
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DCtheGeek avatar image DCtheGeek ·

Just to add to this, here's a doc that lists what resource types you can query with Azure Resource Graph: https://docs.microsoft.com/azure/governance/resource-graph/reference/supported-tables-resources

Unfortunately, "Microsoft.Web/sites/config" is not in the list yet. However, there is already a UserVoice request for it (https://feedback.azure.com/forums/915958-azure-governance/suggestions/38686240-resource-graph-support-for-type-microsoft-web-si). Please vote there if this scenario is important to you and provide your business/use case. This helps the team prioritize work.

1 Vote 1 ·
ignatiev avatar image ignatiev ·

@DCtheGeek thank you ! I voted to the feature


@tbgangav-MSFT thank you for the workaround, hope we will get the correct values in Resource Graph Explorer soon


1 Vote 1 ·