KQL query for fetching vm resources in a maintenance configurations

Garg,Srishti 20

For configuring Azure update manager, I have created maintenance configuration for patching schedules where to evaluate vm resources for each configuration i was using tags to filter VMs on a scope of subscriptions i have (around 50) using Dynamic scope property in maintenance configuration. Hence doing configurations assignment to associate a schedule to a maintenance configuration.
I have a sample query with me. Can you help me with writing a correct query if this is feasible. I want to take out list VMs in each maintenance configurations.

resources
| where type == "microsoft.compute/virtualmachines"
| where subscriptionId == tolower(tostring(split(id, '/')[2]))  // Extract subscription ID from VM resource ID
| project vmName = name, vmId = id, resourceGroup, location, subscriptionId
| join kind=inner (
    maintenanceresources
    | where type == "microsoft.maintenance/configurationassignments"
    | where subscriptionId == tolower(tostring(split(id, '/')[2]))  // Extract subscription ID from maintenance configuration
    | project maintenanceConfigId = id, assignedSubscription = subscriptionId, configname=name
) on $left.subscriptionId == $right.assignedSubscription
| project vmName, vmId, resourceGroup, location, maintenanceConfigId, configname

Nagarjuna Reddy Yanna 90 Reputation points Microsoft Vendor

2025-02-20T05:33:05.8366667+00:00

Hi Garg,Srishti,

Thank you for reaching out to us on the Microsoft Q&A forum.

Yes, you can use the above query to get the list of VMs in the maintenance Configuration.

For your reference, please find the below document.

https://learn.microsoft.com/en-us/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview%2Cwindows-maintenance

If the information is helpful, please consider by clicking the "Upvote" on the post.

If you have any further queries, please let us know in the comment.

Thank you.
Garg,Srishti 20 Reputation points

2025-02-20T12:25:33.3633333+00:00

HI @Nagarjuna Reddy Yanna
The result i want is not the desired one. I want to get list of vm resources that comes under a maintenance configurations. With above query I am getting list of configuration assignments in a maintenance config. Help me fix the query if i am making any mistake?
Nagarjuna Reddy Yanna 90 Reputation points Microsoft Vendor

2025-02-25T00:52:51.0533333+00:00

Hi Garg,Srishti,

Just checking in to see if you had a chance to review my comment on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Nagarjuna Reddy Yanna 90 Reputation points Microsoft Vendor

2025-02-26T00:38:02.4533333+00:00

Hi Garg,Srishti,

Just checking in to see if you had a chance to review my comment on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.

Accepted answer

Nagarjuna Reddy Yanna 90 Reputation points Microsoft Vendor

2025-02-24T01:20:54.65+00:00
Hi Garg,Srishti,

This query should now properly join the VM resources with their associated maintenance configurations based on their subscription IDs and scope.

resources | where type == "microsoft.compute/virtualmachines" | extend subscriptionId = tolower(tostring(split(id, '/')[2])) // Extract subscription ID once | extend tags = todynamic(tags) // Parse tags as dynamic object | project vmName = name, vmId = id, resourceGroup, location, subscriptionId, tags | join kind=inner ( resources | where type == "microsoft.maintenance/configurationassignments" | extend assignedSubscription = tolower(tostring(split(id, '/')[2])) // Extract subscription ID once | mv-expand properties = todynamic(properties) // Expand properties to access scopes | project maintenanceConfigId = id, assignedSubscription, configname = name, scope = tostring(properties.scope) ) on subscriptionId == assignedSubscription and id == scope | project vmName, vmId, resourceGroup, location, maintenanceConfigId, configname, tags

Please refer blow Documentation for your refence

https://learn.microsoft.com/en-us/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview%2Cwindows-maintenance

https://learn.microsoft.com/en-us/azure/update-manager/updates-maintenance-schedules

https://learn.microsoft.com/en-us/azure/update-manager/prerequsite-for-schedule-patching?tabs=new-prereq-portal%2Cauto-portal

https://learn.microsoft.com/en-us/azure/virtual-machines/maintenance-configurations

https://learn.microsoft.com/en-us/azure/virtual-machines/resource-graph-samples?tabs=azure-cli

If the information is helpful, please consider by clicking the "Upvote" on the post.

If you have any further queries, please let us know in the comment.

Thank you.
Please sign in to rate this answer.
Garg,Srishti 20 Reputation points

2025-02-27T09:07:59.04+00:00

Thankyou for the information but somehow this query isn't working for me. May be because of naming of my configurations assignments or scope.

Nagarjuna Reddy Yanna 90 Reputation points Microsoft Vendor

2025-02-27T09:18:13.41+00:00

Hi Garg,Srishti,

Please let me know what issue you are experiencing. Share any screenshots or error messages so that I can assist you further.

Garg,Srishti 20 Reputation points

2025-02-27T09:30:06.43+00:00

This is the screenshot of how we are using dynamic scope to look for vm resources in all subscriptions based on tag filtering on region, os type and other tags.
For this I am using az powershell cmdlet :
New-AzConfigurationAssignment -ConfigurationAssignmentName configAssignmentName -MaintenanceConfigurationId /subscriptions/eee2cef4-bc47-4278-b4f8-cfc65f25dfd8/resourceGroups/AUMDemov01/providers/Microsoft.Maintenance/maintenanceConfigurations/kachavan-prepost01 -FilterLocation eastus2euap,centraluseuap -FilterOsType Windows,Linux -FilterTag '{"tagKey1" : ["tagKey1Value1", "tagKey1Value2"], "tagKey2" : ["tagKey2Value1", "tagKey2Value2", "tagKey2Value3"] }' -FilterOperator "Any" -Location global
to create configuration assignments and associating VM resources in the maintenance configurations. These configuration assignments deployment happening on subscription level with unique naming which I am giving for each subscriptions.
Now with this I am trying to evaluate number of resources in each maintenance configurations. Is this feasible to achieve?

Nagarjuna Reddy Yanna 90 Reputation points Microsoft Vendor

2025-02-27T10:39:02.9833333+00:00

Hi Garg,Srishti,

Please follow the below steps for VM resources with their associated maintenance configurations based on their subscription IDs and scope

It's possible to assess the quantity of resources within each maintenance configuration. Given that you have established the configuration assignments with dynamic scopes, you can utilize Azure Resource Graph to query and compile a summary of the virtual machine resources according to your specified filter criteria.

Use Azure Resource Graph:

You can use the Search-AzGraph cmdlet or write queries that search for resources matching your filtering conditions (like tags, location, and OS type).

Example query:

Search-AzGraph -Query "Resources | where type == 'Microsoft.Compute/virtualMachines' and location in ('eastus2euap', 'centraluseuap') and tags['tagKey1'] in ('tagKey1Value1', 'tagKey1Value2') and tags['tagKey2'] in ('tagKey2Value1', 'tagKey2Value2', 'tagKey2Value3')"

This query will return a list of all VMs that match the tag values and locations specified.

Query the Resources:

After executing the query, you can count the number of resources that match the criteria. Here’s how you can do that:

$resources = Search-AzGraph -Query "Resources | where type == 'Microsoft.Compute/virtualMachines' and location in ('eastus2euap', 'centraluseuap') and tags['tagKey1'] in ('tagKey1Value1', 'tagKey1Value2') and tags['tagKey2'] in ('tagKey2Value1', 'tagKey2Value2', 'tagKey2Value3')" $resourceCount = $resources.Count Write-Output "Total matching VMs: $resourceCount"

Automate Resource Evaluation Across Subscriptions:

If you need to do this for multiple subscriptions, you can iterate through each subscription, run the query for each, and then sum the results.

Example script to evaluate resources across multiple subscriptions:

$subscriptions = Get-AzSubscription foreach ($subscription in $subscriptions) { Set-AzContext -SubscriptionId $subscription.Id $resources = Search-AzGraph -Query "Resources | where type == 'Microsoft.Compute/virtualMachines' and location in ('eastus2euap', 'centraluseuap') and tags['tagKey1'] in ('tagKey1Value1', 'tagKey1Value2') and tags['tagKey2'] in ('tagKey2Value1', 'tagKey2Value2', 'tagKey2Value3')" $resourceCount = $resources.Count Write-Output "Subscription: $($subscription.Name) - Matching VMs: $resourceCount" }

Dynamic Scope: Your dynamic scope in the New-AzConfigurationAssignment cmdlet ensures resources are dynamically filtered by location, OS type, and tags. This will ensure resources meeting these criteria are selected. The resource evaluation process described above complements this dynamic scope and helps you get a count of those resources.

Tagging Consistency: Ensure that your tags are consistently applied across all resources, so that when you query them (via Resource Graph or other methods), the results are accurate.

For more information please refer attached document

https://learn.microsoft.com/en-us/azure/governance/resource-graph/samples/query

Please let us know if it was helpful and feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.

Nagarjuna Reddy Yanna 90 Reputation points Microsoft Vendor

2025-02-28T08:35:05.1233333+00:00

Hi Garg,Srishti,

Just checking in to see if you had a chance to review my comment on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

KQL query for fetching vm resources in a maintenance configurations

0 additional answers

Your answer