azure-compliance
Run Azure compliance and security audits with azqr plus Key Vault expiration checks. Covers best-practice assessment, resource review, policy/compliance validation, and security posture checks. WHEN: compliance scan, security audit, BEFORE running azqr (compliance cli tool), Azure best practices, Key Vault expiration check, expired certificates, expiring secrets, orphaned resources, compliance assessment.
Best use case
azure-compliance is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Run Azure compliance and security audits with azqr plus Key Vault expiration checks. Covers best-practice assessment, resource review, policy/compliance validation, and security posture checks. WHEN: compliance scan, security audit, BEFORE running azqr (compliance cli tool), Azure best practices, Key Vault expiration check, expired certificates, expiring secrets, orphaned resources, compliance assessment.
Teams using azure-compliance should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/azure-compliance/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How azure-compliance Compares
| Feature / Agent | azure-compliance | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Run Azure compliance and security audits with azqr plus Key Vault expiration checks. Covers best-practice assessment, resource review, policy/compliance validation, and security posture checks. WHEN: compliance scan, security audit, BEFORE running azqr (compliance cli tool), Azure best practices, Key Vault expiration check, expired certificates, expiring secrets, orphaned resources, compliance assessment.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Azure Compliance & Security Auditing ## Quick Reference | Property | Details | |---|---| | Best for | Compliance scans, security audits, Key Vault expiration checks | | Primary capabilities | Comprehensive Resources Assessment, Key Vault Expiration Monitoring | | MCP tools | azqr, subscription and resource group listing, Key Vault item inspection | ## When to Use This Skill - Run azqr or Azure Quick Review for compliance assessment - Validate Azure resource configuration against best practices - Identify orphaned or misconfigured resources - Audit Key Vault keys, secrets, and certificates for expiration ## Skill Activation Triggers Activate this skill when user wants to: - Check Azure compliance or best practices - Assess Azure resources for configuration issues - Run azqr or Azure Quick Review - Identify orphaned or misconfigured resources - Review Azure security posture - "Show me expired certificates/keys/secrets in my Key Vault" - "Check what's expiring in the next 30 days" - "Audit my Key Vault for compliance" - "Find secrets without expiration dates" - "Check certificate expiration dates" ## Prerequisites - Authentication: user is logged in to Azure via `az login` - Permissions to read resource configuration and Key Vault metadata ## Assessments | Assessment | Reference | |------------|-----------| | Comprehensive Compliance (azqr) | [references/azure-quick-review.md](references/azure-quick-review.md) | | Key Vault Expiration | [references/azure-keyvault-expiration-audit.md](references/azure-keyvault-expiration-audit.md) | | Resource Graph Queries | [references/azure-resource-graph.md](references/azure-resource-graph.md) | ## MCP Tools | Tool | Purpose | |------|---------| | `mcp_azure_mcp_extension_azqr` | Run azqr compliance scans | | `mcp_azure_mcp_subscription_list` | List available subscriptions | | `mcp_azure_mcp_group_list` | List resource groups | | `keyvault_key_list` | List all keys in vault | | `keyvault_key_get` | Get key details including expiration | | `keyvault_secret_list` | List all secrets in vault | | `keyvault_secret_get` | Get secret details including expiration | | `keyvault_certificate_list` | List all certificates in vault | | `keyvault_certificate_get` | Get certificate details including expiration | ## Assessment Workflow 1. Select scope (subscription or resource group) for Comprehensive Resources Assessment. 2. Run azqr and capture output artifacts. 3. Analyze Scan Results and summarize findings and recommendations. 4. Review Key Vault Expiration Monitoring output for keys, secrets, and certificates. 5. Classify issues and propose remediation or fix steps for each finding. ### Priority Classification | Priority | Guidance | |---|---| | Critical | Immediate remediation required for high-impact exposure | | High | Resolve within days to reduce risk | | Medium | Plan a resolution in the next sprint | | Low | Track and fix during regular maintenance | ## Error Handling | Error | Message | Remediation | |---|---|---| | Authentication required | "Please login" | Run `az login` and retry | | Access denied | "Forbidden" | Confirm permissions and fix role assignments | | Missing resource | "Not found" | Verify subscription and resource group selection | ## Best Practices - Run compliance scans on a regular schedule (weekly or monthly) - Track findings over time and verify remediation effectiveness - Separate compliance reporting from remediation execution - Keep Key Vault expiration policies documented and enforced ## SDK Quick References For programmatic Key Vault access, see the condensed SDK guides: - **Key Vault (Python)**: [Secrets/Keys/Certs](references/sdk/azure-keyvault-py.md) - **Secrets**: [TypeScript](references/sdk/azure-keyvault-secrets-ts.md) | [Rust](references/sdk/azure-keyvault-secrets-rust.md) | [Java](references/sdk/azure-security-keyvault-secrets-java.md) - **Keys**: [.NET](references/sdk/azure-security-keyvault-keys-dotnet.md) | [Java](references/sdk/azure-security-keyvault-keys-java.md) | [TypeScript](references/sdk/azure-keyvault-keys-ts.md) | [Rust](references/sdk/azure-keyvault-keys-rust.md) - **Certificates**: [Rust](references/sdk/azure-keyvault-certificates-rust.md)
Related Skills
azure-validate
Pre-deployment validation for Azure readiness. Run deep checks on configuration, infrastructure (Bicep or Terraform), permissions, and prerequisites before deploying. WHEN: validate my app, check deployment readiness, run preflight checks, verify configuration, check if ready to deploy, validate azure.yaml, validate Bicep, test before deploying, troubleshoot deployment errors, validate Azure Functions, validate function app, validate serverless deployment.
azure-upgrade
Assess and upgrade Azure workloads between plans, tiers, or SKUs within Azure. Generates assessment reports and automates upgrade steps. WHEN: upgrade Consumption to Flex Consumption, upgrade Azure Functions plan, migrate hosting plan, upgrade Functions SKU, move to Flex Consumption, upgrade Azure service tier, change hosting plan, upgrade function app plan, migrate App Service to Container Apps.
azure-storage
Azure Storage Services including Blob Storage, File Shares, Queue Storage, Table Storage, and Data Lake. Provides object storage, SMB file shares, async messaging, NoSQL key-value, and big data analytics capabilities. Includes access tiers (hot, cool, archive) and lifecycle management. USE FOR: blob storage, file shares, queue storage, table storage, data lake, upload files, download blobs, storage accounts, access tiers, lifecycle management. DO NOT USE FOR: SQL databases, Cosmos DB (use azure-prepare), messaging with Event Hubs or Service Bus (use azure-messaging).
azure-resource-visualizer
Analyze Azure resource groups and generate detailed Mermaid architecture diagrams showing the relationships between individual resources. WHEN: create architecture diagram, visualize Azure resources, show resource relationships, generate Mermaid diagram, analyze resource group, diagram my resources, architecture visualization, resource topology, map Azure infrastructure.
azure-resource-lookup
List, find, and show Azure resources across subscriptions or resource groups. Handles prompts like "list websites", "list virtual machines", "list my VMs", "show storage accounts", "find container apps", and "what resources do I have". USE FOR: resource inventory, find resources by tag, tag analysis, orphaned resource discovery (not for cost analysis), unattached disks, count resources by type, cross-subscription lookup, and Azure Resource Graph queries. DO NOT USE FOR: deploying/changing resources, cost optimization, or non-Azure clouds.
azure-rbac
Helps users find the right Azure RBAC role for an identity with least privilege access, then generate CLI commands and Bicep code to assign it. Also provides guidance on permissions required to grant roles. WHEN: bicep for role assignment, what role should I assign, least privilege role, RBAC role for, role to read blobs, role for managed identity, custom role definition, assign role to identity, what role do I need to grant access, permissions to assign roles.
azure-quotas
Check/manage Azure quotas and usage across providers. For deployment planning, capacity validation, region selection. WHEN: "check quotas", "service limits", "current usage", "request quota increase", "quota exceeded", "validate capacity", "regional availability", "provisioning limits", "vCPU limit", "how many vCPUs available in my subscription".
azure-prepare
Prepare Azure apps for deployment (infra Bicep/Terraform, azure.yaml, Dockerfiles). Use for create/modernize or create+deploy; not cross-cloud migration (use azure-cloud-migrate). WHEN: "create app", "build web app", "create API", "create serverless HTTP API", "create frontend", "create back end", "build a service", "modernize application", "update application", "add authentication", "add caching", "host on Azure", "create and deploy", "deploy to Azure", "deploy to Azure using Terraform", "deploy to Azure App Service", "deploy to Azure App Service using Terraform", "deploy to Azure Container Apps", "deploy to Azure Container Apps using Terraform", "generate Terraform", "generate Bicep", "function app", "timer trigger", "service bus trigger", "event-driven function", "containerized Node.js app", "social media app", "static portfolio website", "todo list with frontend and API", "prepare my Azure application to use Key Vault", "managed identity".
azure-messaging
Troubleshoot and resolve issues with Azure Messaging SDKs for Event Hubs and Service Bus. Covers connection failures, authentication errors, message processing issues, and SDK configuration problems. WHEN: event hub SDK error, service bus SDK issue, messaging connection failure, AMQP error, event processor host issue, message lock lost, send timeout, receiver disconnected, SDK troubleshooting, azure messaging SDK, event hub consumer, service bus queue issue, topic subscription error, enable logging event hub, service bus logging, eventhub python, servicebus java, eventhub javascript, servicebus dotnet, event hub checkpoint, event hub not receiving messages, service bus dead letter.
azure-kusto
Query and analyze data in Azure Data Explorer (Kusto/ADX) using KQL for log analytics, telemetry, and time series analysis. WHEN: KQL queries, Kusto database queries, Azure Data Explorer, ADX clusters, log analytics, time series data, IoT telemetry, anomaly detection.
azure-kubernetes
Plan, create, and configure production-ready Azure Kubernetes Service (AKS) clusters. Covers Day-0 checklist, SKU selection (Automatic vs Standard), networking options (private API server, Azure CNI Overlay, egress configuration), security, and operations (autoscaling, upgrade strategy, cost analysis). WHEN: create AKS environment, provision AKS environment, enable AKS observability, design AKS networking, choose AKS SKU, secure AKS.
azure-hosted-copilot-sdk
Build and deploy GitHub Copilot SDK apps to Azure. WHEN: build copilot app, create copilot app, copilot SDK, @github/copilot-sdk, scaffold copilot project, copilot-powered app, deploy copilot app, host on azure, azure model, BYOM, bring your own model, use my own model, azure openai model, DefaultAzureCredential, self-hosted model, copilot SDK service, chat app with copilot, copilot-sdk-service template, azd init copilot, CopilotClient, createSession, sendAndWait, GitHub Models API.