Monitoring Azure Resources for Version Compliance Using Azure Workbooks and KQL

Compliance isn’t just about ticking boxes; it’s about safeguarding your cloud environment with the latest versions and updates

Lack of Centralized Version Compliance Monitoring Across Azure Resources

1. Version Compliance Gaps: The customer was struggling to track the version compliance of Azure resources across multiple subscriptions, leading to outdated services and security risks.
2. Manual & Inefficient Monitoring: Their existing approach relied on manual tracking of resource versions, which was time-consuming, error-prone, and lacked scalability.
3. High Operational Costs: Due to inefficient processes and lack of visibility, maintaining compliance and managing infrastructure required excessive operational effort, increasing costs.
4. Inconsistent Governance: The customer faced challenges in enforcing consistent governance, as they lacked a unified view of resource versions and compliance status across different Azure services.

When the customer approached us, they were dealing with inefficient monitoring processes, increased operational costs, and difficulty ensuring version compliance, which affected their overall cloud governance and security.

Our recommendation/solution

1. Proposed Solution: We implemented a custom Azure Workbook integrated with KQL queries to automatically track, monitor, and compare the versions of all Azure resources across multiple subscriptions
2. Benefits: This solution provided real-time visibility into resource version compliance, significantly reducing manual effort and operational costs while improving security and governance.

We will discuss how we developed the version compliance monitoring solution using Azure Workbooks and KQL, explaining how it helped the customer automate tracking, ensure governance, and address their challenges with outdated resources and high operational costs.

Pre-requisites for the Set-Up

Before we implemented the solution, the following pre-requisites were already in place:

1. Access to the Azure Portal for creating and managing Workbooks
2. Azure Monitor and Log Analytics Workspace configured to collect resource data
3. KQL Expertise to write and customize queries for version tracking
4. Resource Tagging (e.g., iac-version or powered-by) to capture version information
5. Latest Resource Version List prepared for comparing resources across subscriptions

Manual monitoring is a thing of the past—real-time dashboards provide the visibility you need, when you need it.

Solution Implementation Steps

Step 1: Creating the Azure Workbook

We started by creating a new Azure Workbook to act as a centralized dashboard for version compliance. Using the Azure Portal, we navigated to Azure Monitor > Workbooks, and created a new workbook.

From there, we began customizing it by clicking on the Edit button and adding a new Query tile.

Step 2: Implementing the KQL Query

To fetch and compare resource versions, we implemented the following KQL query within the workbook:

Resources
| join kind=inner (
   resourcecontainers
   | where type == 'microsoft.resources/subscriptions'
   | project subscriptionId, subscriptionName = name)
   on subscriptionId 
| where type in ({ResourceType})
| extend currentversion = case(tags['iac-version'] == "", tags['powered-by'],
                           tags['iac-version'])
| extend latestversion = 
  case(
       type == 'microsoft.keyvault/vaults', 'v1.0.0,v1.1.0',
       type == 'microsoft.containerservice/managedclusters', 'v1.3.0,v1.4.0',
       type == 'microsoft.web/serverfarms', 'v2.0.0,v2.1.0,v2.1.1',
       type == 'microsoft.sql/servers', 'v2.7.0,',
       type == 'microsoft.sql/managedinstances', 'v2.7.0',
       type == 'microsoft.dbforpostgresql/flexibleservers', 'v2.4.0',
       type == 'microsoft.containerregistry/registries', 'v1.2.0',
       type == 'microsoft.storage/storageaccounts', 'v1.3.0',
       type == 'microsoft.compute/virtualmachines', 'v1.3.0',
       type == 'microsoft.datafactory/datafactories', 'v1.1.0',
       type == 'microsoft.cache/redis', 'v1.0.0,v1.1.0',
       type == 'microsoft.insights/workbooks', 'v1.1.0',
      'DefaultConstantValue'
   )
| extend status = case(
   latestversion contains (currentversion), 'Compliant',
   'Non-Compliant'
)
| where status in ({status02})
| project subscriptionId, subscriptionName,type, name,currentversion,latestversion, status        

This query pulls resource data and matches each resource’s current version (based on tags) with the latest version available. It then checks whether each resource is compliant or non-compliant based on this comparison, displaying the results in real time.

Automation doesn’t just save time; it ensures accuracy and scalability in managing compliance

We then added dynamic filters to enhance the interactivity of the workbook. These filters allowed users to:

• Filter by Subscription: Users could drill down into a specific subscription to see its resource compliance status
• Filter by Resource Type: We allowed filtering by resource type (e.g., VMs, SQL Servers, etc.) to focus on specific services
• Filter by Compliance Status: Users could quickly view only non-compliant resources, helping teams focus on the most critical updates

Results and Benefits

By implementing this solution, we delivered the following key benefits to the customer:

• Real-Time Visibility: The customer now has a live, centralized view of all Azure resources and their compliance status
• Reduced Operational Overhead: The previously manual, time-consuming process of tracking resource versions was fully automated, freeing up time for more strategic tasks
• Improved Security and Governance: With non-compliant resources flagged immediately, the customer could take swift action to update outdated resources, improving their overall security posture
• Efficient Resource Management: The ability to filter by subscription, resource type, or compliance status gave the customer precise control over how they monitored and updated their resources

CloudifyOps successfully implemented a real-time, automated version compliance monitoring solution using Azure Workbooks and KQL. By centralizing version tracking across subscriptions, the customer gained visibility into their Azure environment, improved governance, and significantly reduced operational costs.

This blog highlights how we helped the customer solve their compliance challenges, making their infrastructure more secure and easier to manage.

References:

https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-overview

https://learn.microsoft.com/en-us/kusto/query/?view=microsoft-fabric

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics