What is KQL and why do Azure administrators need to learn it?

KQL (Kusto Query Language) is the query language for Azure Resource Graph, Log Analytics, Application Insights, and Microsoft Sentinel. Azure administrators need KQL to inventory resources across subscriptions, troubleshoot configuration issues, generate compliance reports, and analyze infrastructure at scale. Unlike Azure Portal's GUI which is subscription-limited, KQL queries can scan all 44+ subscriptions in seconds, join resource data with cost information, and export results for automation. No Azure certification adequately teaches operational KQL - the AZ-104 exam shows only two sample queries with zero coverage of joins, performance optimization, or production query patterns.

What is the difference between Azure Resource Graph and Log Analytics KQL?

Azure Resource Graph queries infrastructure metadata (resource properties, configurations, tags, locations) using the Resources and ResourceContainers tables. Log Analytics queries runtime telemetry (logs, metrics, performance data) from Azure Monitor. Resource Graph is perfect for 'what resources exist and how are they configured' questions. Log Analytics is perfect for 'what is happening right now' questions. Both use KQL syntax but query different data sources. Resource Graph is faster for infrastructure inventory (scans 31,000 resources in 2-3 seconds). Log Analytics has deeper time-series data but requires agents or diagnostic settings to collect data.

How do I query all VMs across multiple Azure subscriptions with KQL?

Use Azure Resource Graph Explorer with this query: Resources | where type == 'microsoft.compute/virtualmachines' | project name, location, resourceGroup, subscriptionId, properties.hardwareProfile.vmSize, properties.storageProfile.osDisk.osType | order by name asc. This scans all subscriptions you have access to (no subscription switching required), returns VM name, location, resource group, subscription, VM size, and OS type in under 3 seconds for environments with 1,000+ VMs. Add '| where subscriptionId == "{subscription-id}"' to filter to specific subscriptions. Add tags with '| extend environment = tostring(tags.Environment)' to include tag data.

What are the most useful KQL operators for Azure Resource Graph queries?

Essential KQL operators for Azure Resource Graph: (1) where - filters rows by condition, (2) project - selects specific columns to return, (3) extend - adds calculated columns without removing existing ones, (4) summarize - aggregates data with count(), sum(), avg(), (5) join - combines data from multiple tables, (6) order by - sorts results, (7) take/limit - returns top N rows, (8) distinct - returns unique values, (9) mv-expand - expands multi-value arrays into separate rows, (10) parse - extracts data from strings. Most production queries use where, project, and extend for basic inventory. Advanced queries add join for cost analysis and summarize for reporting.

How can I use KQL to find Azure resources without required tags?

Query untagged resources with: Resources | where tags !has 'Environment' or tags !has 'Application' or tags !has 'CostCenter' | project name, type, resourceGroup, subscriptionId, tags | order by type asc. This identifies resources missing Environment, Application, or CostCenter tags across all subscriptions. For more sophisticated tag validation, use: Resources | extend hasEnv = isnotnull(tags.Environment), hasApp = isnotnull(tags.Application), hasCost = isnotnull(tags.CostCenter) | where hasEnv == false or hasApp == false or hasCost == false | project name, type, hasEnv, hasApp, hasCost, tags. Export results to CSV for remediation tracking. This pattern is critical for FinOps chargeback models and compliance reporting.

Where should I run KQL queries for Azure infrastructure?

Run Azure Resource Graph KQL queries in: (1) Azure Portal Resource Graph Explorer (search 'resource-graph' in portal) - best for ad-hoc queries and testing, (2) Azure CLI with 'az graph query' command - best for automation and CI/CD pipelines, (3) PowerShell with 'Search-AzGraph' cmdlet - best for Windows automation and reporting scripts, (4) Azure Workbooks - best for interactive dashboards and scheduled reports. Resource Graph Explorer supports query history, sample queries, and keyboard shortcuts (Ctrl+Space for autocomplete). Always test queries in the portal before embedding in automation. Use query comments (// or /* */) to document complex logic for team knowledge sharing.

KQL Cheat Sheet: Getting Started with Azure Resource Graph

This guide is part of our Azure Governance hub covering policy enforcement, compliance frameworks, and enterprise controls.

Note: No Azure certification teaches KQL for operational queries. The AZ-104 exam shows you two sample queries. That's it. No Resource Graph training. No joins. No performance optimization. Nothing about the queries you'll actually write daily.

I wrote about this gap: The Azure Role Microsoft Forgot to Certify. Until Microsoft fixes this, here's the KQL guide you need.

What is KQL?

Kusto Query Language (KQL) is the query language for Azure Resource Graph, Log Analytics, and Microsoft Sentinel. If you manage Azure resources, you need to know KQL.

This cheat sheet focuses on Azure Resource Graph - querying your Azure infrastructure metadata to inventory resources, check configurations, and troubleshoot issues.

📥 Want this as a PDF? Download the free KQL cheat sheet PDF with all 15 essential queries formatted for printing and offline reference.

Download Free KQL Cheat Sheet PDF →

Getting Started

Where to Run: Azure Portal > Resource Graph Explorer (search "resource-graph" in the portal).

Key Tables:
- Resources: Contains all Azure resources (VMs, NICs, disks, storage, etc.)
- ResourceContainers: Contains subscriptions and resource groups

Basic Query Structure: Start with a table name, pipe (|) to operators like where, join, or project.

Example:

Resources
| where type == "microsoft.compute/virtualmachines"
| project name, location, resourceGroup

Your First 3 Queries

1. List All Your VMs

Resources
| where type == "microsoft.compute/virtualmachines"
| project name, location, resourceGroup

What it does: Shows every VM across all your subscriptions.

2. Find VMs in a Specific Resource Group

Resources  
| where type == "microsoft.compute/virtualmachines"
| where resourceGroup == "Production-RG"
| project name, location

What it does: Filters to VMs in one resource group only.

3. Count VMs by Location

Resources
| where type == "microsoft.compute/virtualmachines" 
| summarize count() by location

What it does: Shows how many VMs you have in each Azure region.

Core KQL Concepts

Tables = Your Data Sources

Think of tables like Excel sheets - each contains different types of data:
- Resources = all your Azure resources
- ResourceContainers = subscriptions and resource groups

Where = Your Filter

Like Excel filters - narrows down your data:

| where type == "microsoft.compute/virtualmachines"
| where location == "eastus"

Always filter early for better performance.

Project = Your Columns

Selects which columns to display:

| project name, location, resourceGroup

Keeps output clean and focused.

Summarize = Aggregations

Count, sum, or group your data:

| summarize count() by location
| summarize avg(properties.diskSizeGB) by resourceGroup

15 Essential Queries

Query 1: List All VMs

Resources
| where type == "microsoft.compute/virtualmachines"
| project name, location, resourceGroup

Query 2: List All Storage Accounts

Resources
| where type == "microsoft.storage/storageaccounts"
| project name, location, resourceGroup

Query 3: Find Resources by Tag

Resources
| where tags["Environment"] == "Production"
| project name, type, resourceGroup

Query 4: Count Resources by Type

Resources
| summarize count() by type
| order by count_ desc

Query 5: List All Network Interfaces

Resources
| where type == "microsoft.network/networkinterfaces"
| project name, location, resourceGroup

Query 6: Find Untagged Resources

Resources
| where type in ("microsoft.compute/virtualmachines", "microsoft.storage/storageaccounts")
| where isnull(tags) or array_length(bag_keys(tags)) == 0
| project name, type, resourceGroup

Query 7: List All Managed Disks

Resources
| where type == "microsoft.compute/disks"
| project name, location, resourceGroup

Query 8: Count Resources by Location

Resources
| summarize count() by location
| order by count_ desc

Query 9: Find VMs with Specific OS

Resources
| where type == "microsoft.compute/virtualmachines"
| extend OSType = tostring(properties.storageProfile.osDisk.osType)
| where OSType == "Linux"
| project name, OSType, resourceGroup

Query 10: List Public IP Addresses

Resources
| where type == "microsoft.network/publicipaddresses"
| project name, location, resourceGroup

Query 11: Find Large Disks (>100GB)

Resources
| where type == "microsoft.compute/disks"
| extend DiskSizeGB = toint(properties.diskSizeGB)
| where DiskSizeGB > 100
| project name, DiskSizeGB, resourceGroup

Query 12: List All Resource Groups

ResourceContainers
| where type == "microsoft.resources/resourcegroups"
| project name, location

Query 13: Count VMs by Resource Group

Resources
| where type == "microsoft.compute/virtualmachines"
| summarize VMCount = count() by resourceGroup
| order by VMCount desc

Query 14: Find Resources in Specific Subscription

Resources
| where subscriptionId == "your-subscription-id-here"
| summarize count() by type

Query 15: Get VM with Network Details

Resources
| where type == "microsoft.compute/virtualmachines"
| extend NetworkInterfaceId = tostring(properties.networkProfile.networkInterfaces[0].id)
| project name, NetworkInterfaceId, resourceGroup

What You've Learned

You now know how to:
- ✅ Query Azure Resource Graph
- ✅ Filter resources by type, location, tags
- ✅ Count and aggregate resources
- ✅ Find untagged resources
- ✅ Extract basic properties from resources

🔒 Enterprise KQL Library: Migration Discovery Queries

The 15 queries above cover the fundamentals.
Ready for production-level migration discovery?

Join 500+ Azure Architects and get the 47-Query Enterprise Library in a searchable PDF + my weekly operations brief.

✔️ 47 production-tested queries • ✔️ Migration discovery workflows • ✔️ Advanced joins & aggregations
Instant PDF delivery • No spam • Unsubscribe anytime

🚀 KQL for Migration Discovery (Preview)

Before you touch Azure Migrate, you need accurate inventory data. These queries answer the 55 questions in the Azure Migration Assessment Pro without guesswork.

Note: The complete migration discovery queries (15+ additional queries) are included in the Enterprise Library above. Below is a preview of what's included.

Critical Migration Questions KQL Can Answer:

Infrastructure Discovery:

// Question #10-12: Platform, OS, and Server Count
Resources
| where type =~ 'microsoft.compute/virtualmachines'
| extend osType = properties.storageProfile.osDisk.osType
| extend osVersion = properties.storageProfile.imageReference.sku
| summarize 
    TotalVMs = count(),
    Windows = countif(osType =~ 'Windows'),
    Linux = countif(osType =~ 'Linux')
    by osType, osVersion
| order by TotalVMs desc

Dependency Mapping:

// Question #15-16: Load Balancer Dependencies & Public Exposure
Resources
| where type =~ 'microsoft.network/loadbalancers'
| extend frontendConfig = properties.frontendIPConfigurations
| mvexpand frontendConfig
| extend 
    publicIP = frontendConfig.properties.publicIPAddress.id,
    privateIP = frontendConfig.properties.privateIPAddress
| project name, resourceGroup, 
    hasPublicIP = isnotnull(publicIP),
    privateIP, location

Cost Discovery:

// Question #43-44: Resource Count by Application
Resources
| where type =~ 'microsoft.compute/virtualmachines'
    or type =~ 'microsoft.storage/storageaccounts'
    or type =~ 'microsoft.network/virtualnetworks'
| extend appName = tostring(tags['Application'])
| where isnotempty(appName)
| summarize 
    VMs = countif(type =~ 'microsoft.compute/virtualmachines'),
    Storage = countif(type =~ 'microsoft.storage/storageaccounts'),
    TotalResources = count()
    by appName, resourceGroup
| order by TotalResources desc

🎯 The Migration Discovery Workflow:

Run these queries → Answers 25 of 55 migration questions
Export to Excel → Paste into Migration Assessment Pro
Auto-fill confidence → High (KQL-verified), not Low (guessed)
Remaining 30 questions → Manual discovery (app owners, licensing docs)

Time saved: 10-15 hours per application

Want All 48 Migration Discovery Queries?

The Complete KQL Query Library ($19) includes:
- ✅ Dependency mapping queries - Find load balancers, VNets, NSGs per app
- ✅ Licensing audits - SQL Server, Windows, Red Hat detection
- ✅ Cost allocation - Tag-based resource grouping for cost estimates
- ✅ Security assessment - Encryption status, public exposure, NSG rules

Maps directly to the Migration Assessment Pro questionnaire.

🚀 Want the Complete KQL Library?

This free guide covers the fundamentals - 15 essential queries to get started.

Ready for production-level Azure administration?

Get the Complete KQL Query Library ($19)

What's included:
- ✅ 48 production-tested queries (vs 15 basic queries here)
- ✅ Advanced joins - Link VMs to NICs, disks, subnets, subscriptions
- ✅ Performance optimization guide - Query 31,000+ resources efficiently
- ✅ SQL to KQL translation - For SQL developers learning KQL
- ✅ Case-insensitive tag handling - Handles tag variations automatically
- ✅ Power state detection - Show IPs only for running VMs
- ✅ Real production scenarios - From managing enterprise-scale Azure
- ✅ JSON query files - Copy-paste ready for immediate use
- ✅ Complete reference guide - All queries organized by category
- ✅ Troubleshooting guide - Fix common KQL errors
- ✅ Future updates included - Get new queries as Azure evolves

Used in production managing:
- 44 Azure subscriptions
- 31,000+ resources
- Enterprise-scale environments

Why Upgrade?

This free guide teaches you KQL basics → Get started in 30 minutes

The complete library gives you production-ready queries → Save 10+ hours/month

Price: $19 (one-time purchase, instant download)

Get the Complete KQL Library →

Money-back guarantee if it doesn't save you 2+ hours in the first week.

Additional Resources

Azure Admin Starter Kit (Free Download)

Get my complete Azure admin toolkit: KQL cheat sheet, 50 Windows + 50 Linux commands, and an Azure RACI template in one free bundle.

Get the Starter Kit →

Want to learn more about Azure governance, cost management, and operations? Visit azure-noob.com for practical guides based on real enterprise experience.

KQL Cheat Sheet: Getting Started with Azure Resource Graph

What is KQL?

Getting Started

Your First 3 Queries

1. List All Your VMs

2. Find VMs in a Specific Resource Group

3. Count VMs by Location

Core KQL Concepts

Tables = Your Data Sources

Where = Your Filter

Project = Your Columns

Summarize = Aggregations

15 Essential Queries

Query 1: List All VMs

Query 2: List All Storage Accounts

Query 3: Find Resources by Tag

Query 4: Count Resources by Type

Query 5: List All Network Interfaces

Query 6: Find Untagged Resources

Query 7: List All Managed Disks

Query 8: Count Resources by Location

Query 9: Find VMs with Specific OS

Query 10: List Public IP Addresses

Query 11: Find Large Disks (>100GB)

Query 12: List All Resource Groups

Query 13: Count VMs by Resource Group

Query 14: Find Resources in Specific Subscription

Query 15: Get VM with Network Details

What You've Learned

🔒 Enterprise KQL Library: Migration Discovery Queries

🚀 KQL for Migration Discovery (Preview)

Critical Migration Questions KQL Can Answer:

🎯 The Migration Discovery Workflow:

Want All 48 Migration Discovery Queries?

🚀 Want the Complete KQL Library?

Get the Complete KQL Query Library ($19)

Why Upgrade?

Additional Resources

Azure Admin Starter Kit (Free Download)

Azure Admin Starter Kit (Free Download)

📊 Stop Rewriting the Same KQL Queries

Wait! Before You Go...