Troubleshoot errors using Azure Resource Graph
You might run into errors when querying Azure resources with Azure Resource Graph. This article describes various errors that might occur and how to resolve them.
Finding error details
Most errors are the result of an issue while running a query with Azure Resource Graph. When a query fails, the SDK provides details about the failed query. This information indicates the issue so that it can be fixed and a later query succeeds.
General errors
Scenario: Throttled requests
Issue
Customers making large or frequent resource queries have requests throttled.
Cause
Azure Resource Graph allocates a quota number for each user based on a time window. For example, a user can send at most 15 queries within every 5-second window without being throttled. The quota value is determined by many factors and is subject to change. For more information, see Throttling in Azure Resource Graph.
Resolution
There are several methods of dealing with throttled requests:
Scenario: Too many subscriptions
Issue
Customers with access to more than 1,000 subscriptions, including cross-tenant subscriptions with Azure Lighthouse, can't fetch data across all subscriptions in a single call to Azure Resource Graph.
Cause
Azure CLI and PowerShell forward only the first 1,000 subscriptions to Azure Resource Graph. The REST API for Azure Resource Graph accepts a maximum number of subscriptions to perform the query on.
Resolution
Batch requests for the query with a subset of subscriptions to stay under the 1,000 subscription limit. The solution is using the Subscription parameter in PowerShell.
# Replace this query with your own
$query = 'Resources | project type'
# Fetch the full array of subscription IDs
$subscriptions = Get-AzSubscription
$subscriptionIds = $subscriptions.Id
# Create a counter, set the batch size, and prepare a variable for the results
$counter = [PSCustomObject] @{ Value = 0 }
$batchSize = 1000
$response = @()
# Group the subscriptions into batches
$subscriptionsBatch = $subscriptionIds | Group -Property { [math]::Floor($counter.Value++ / $batchSize) }
# Run the query for each batch
foreach ($batch in $subscriptionsBatch){ $response += Search-AzGraph -Query $query -Subscription $batch.Group }
# View the completed results of the query on all subscriptions
$response
Scenario: Unsupported Content-Type REST header
Issue
Customers querying the Azure Resource Graph REST API get a 500 (Internal Server Error) response returned.
Cause
The Azure Resource Graph REST API only supports a Content-Type
of application/json
. Some REST tools or agents default to text/plain
, which is unsupported by the REST API.
Resolution
Validate that the tool or agent you're using to query Azure Resource Graph has the REST API header Content-Type
configured for application/json
.
Scenario: No read permission to all subscriptions in list
Issue
Customers that explicitly pass a list of subscriptions with an Azure Resource Graph query get a 403 (Forbidden) response.
Cause
If the customer doesn't have read permission to all the provided subscriptions, the request is denied because of lack of appropriate security rights.
Resolution
Include at least one subscription in the subscription list that the customer running the query has at least read access to. For more information, see Permissions in Azure Resource Graph.
Scenario: Azure Resource Graph fields not being updated immediately
Issue
There are specific fields, when using Azure Resource Graph, that are updated at a slower cadence. These fields will converge to true values over time, provided there are no updates in between.
List of fields affected
Important
- This concept is not limited to specific properties. The following list are examples that you might find delayed, but eventually become updated.
- There are certain cases where VM states are updated asynchronously, which means that the current state does not match the "goal state" (desired state set by customers). However, these VM fields will converge over time.
- properties.extended.instanceView.osName
- properties.extended.instanceView.osVersion
- properties.extended.instanceView.computerName
Cause
Some fields are coming from agent blobs that don't have notification coverage, therefore updates to these fields are delayed.
Resolution
These fields update at a slower cadence today, but will converge to true values over time, provided there are no updates in between.
Next steps
If you didn't see your problem or are unable to solve your issue, visit one of the following channels for more support:
- Get answers from Azure experts through Azure Forums.
- Connect with @AzureSupport - the official Microsoft Azure account for improving customer experience by connecting the Azure community to the right resources: answers, support, and experts.
- If you need more help, you can file an Azure support incident. Go to the Azure support site and select Get Support.