Merge pull request #201741 from timwarner-msft/timwarner-scopes

v-regandowner · web-flow · commit a03c6f54c05e · 2022-06-20T11:16:35.000-04:00
Add AuthorizationScopeFilter parameter to doc
diff --git a/articles/governance/resource-graph/concepts/query-language.md b/articles/governance/resource-graph/concepts/query-language.md
@@ -1,8 +1,10 @@
 ---
 title: Understand the query language
 description: Describes Resource Graph tables and the available Kusto data types, operators, and functions usable with Azure Resource Graph.
-ms.date: 09/03/2021
+ms.date: 06/15/2022
 ms.topic: conceptual
+ms.author: timwarner
+author: timwarner-msft
 ---
 # Understanding the Azure Resource Graph query language
 
@@ -13,11 +15,16 @@ query language used by Resource Graph, start with the
 
 This article covers the language components supported by Resource Graph:
 
-- [Resource Graph tables](#resource-graph-tables)
-- [Resource Graph custom language elements](#resource-graph-custom-language-elements)
-- [Supported KQL language elements](#supported-kql-language-elements)
-- [Scope of the query](#query-scope)
-- [Escape characters](#escape-characters)
+- [Understanding the Azure Resource Graph query language](#understanding-the-azure-resource-graph-query-language)
+  - [Resource Graph tables](#resource-graph-tables)
+  - [Extended properties (preview)](#extended-properties-preview)
+  - [Resource Graph custom language elements](#resource-graph-custom-language-elements)
+    - [Shared query syntax (preview)](#shared-query-syntax-preview)
+  - [Supported KQL language elements](#supported-kql-language-elements)
+    - [Supported tabular/top level operators](#supported-tabulartop-level-operators)
+  - [Query scope](#query-scope)
+  - [Escape characters](#escape-characters)
+  - [Next steps](#next-steps)
 
 ## Resource Graph tables
 
@@ -89,7 +96,7 @@ Resources
 > When limiting the `join` results with `project`, the property used by `join` to relate the two
 > tables, _subscriptionId_ in the above example, must be included in `project`.
 
-## <a name="extended-properties"></a>Extended properties (preview)
+## Extended properties (preview)
 
 As a _preview_ feature, some of the resource types in Resource Graph have additional type-related
 properties available to query beyond the properties provided by Azure Resource Manager. This set of
@@ -114,7 +121,7 @@ Resources
 
 ## Resource Graph custom language elements
 
-### <a name="shared-query-syntax"></a>Shared query syntax (preview)
+### Shared query syntax (preview)
 
 As a preview feature, a [shared query](../tutorials/create-share-query.md) can be accessed directly
 in a Resource Graph query. This scenario makes it possible to create standard queries as shared
@@ -215,6 +222,51 @@ Group' with ID 'myMG'.
   }
   ```
 
+The `AuthorizationScopeFilter` parameter enables you to list Azure Policy assignments inherited from upper scopes. The `AuthorizationScopeFilter` parameter accepts the following values:
+
+- **AtScopeAndBelow** (default if not specified): Returns policy assignments for the given scope and all child scopes
+- **AtScopeAndAbove**: Returns policy assignments for the given scope and all parent scopes, but not child scopes
+- **AtScopeAboveAndBelow**: Returns policy assignments for the given scope, all parent scopes and all child scopes
+- **AtScopeExact**: Returns policy assignments  only for the given scope; no parent or child scopes are included
+
+> [!NOTE]
+> To use the `AuthorizationScope` parameter, be sure to reference the **2021-06-01-preview** API version in your requests.
+
+Example: Get all policy assignments at the **myMG** management group and Tenant Root (parent) scopes.
+
+- REST API URI
+
+  ```http
+  POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-06-01-preview
+  ```
+
+- Request Body Sample
+
+  ```json
+  {
+      "authorizationScopeFilter": "AtScopeAndAbove",
+      "query": "PolicyResources | where type =~ 'Microsoft.Authorization/PolicyAssignments'",
+      "managementGroups": ["myMG"]
+  }
+  ```
+
+Example: Get all policy assignments at the **mySubscriptionId** subscription, management group, and Tenant Root scopes.
+
+- REST API URI
+
+  ```http
+  POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-06-01-preview
+  ```
+- Request Body Sample
+
+  ```json
+  {
+      "authorizationScopeFilter": "AtScopeAndAbove",
+      "query": "PolicyResources | where type =~ 'Microsoft.Authorization/PolicyAssignments'",
+      "subscriptions": ["mySubscriptionId"]
+  }
+  ```
+
 ## Escape characters
 
 Some property names, such as those that include a `.` or `$`, must be wrapped or escaped in the
diff --git a/articles/governance/resource-graph/overview.md b/articles/governance/resource-graph/overview.md
@@ -1,8 +1,10 @@
 ---
 title: Overview of Azure Resource Graph
 description: Understand how the Azure Resource Graph service enables complex querying of resources at scale across subscriptions and tenants.
-ms.date: 08/17/2021
+ms.date: 06/15/2022
 ms.topic: overview
+ms.author: timwarner
+author: timwarner-msft
 ---
 # What is Azure Resource Graph?
 
@@ -56,7 +58,7 @@ With Azure Resource Graph, you can:
 > [!NOTE]
 > As a _preview_ feature, some `type` objects have additional non-Resource Manager properties
 > available. For more information, see
-> [Extended properties (preview)](./concepts/query-language.md#extended-properties).
+> [Extended properties (preview)](./concepts/query-language.md#extended-properties-preview).
 
 ## How Resource Graph is kept current
 
diff --git a/articles/governance/resource-graph/samples/advanced.md b/articles/governance/resource-graph/samples/advanced.md
@@ -1,8 +1,10 @@
 ---
 title: Advanced query samples
 description: Use Azure Resource Graph to run some advanced queries, including working with columns, listing tags used, and matching resources with regular expressions.
-ms.date: 10/01/2021
+ms.date: 06/15/2022
 ms.topic: sample
+ms.author: timwarner
+author: timwarner-msft
 ---
 # Advanced Resource Graph query samples
 
@@ -601,7 +603,7 @@ Search-AzGraph -Query "Resources | where type =~ 'microsoft.network/networkinter
 
 ## <a name="vm-powerstate"></a>Summarize virtual machine by the power states extended property
 
-This query uses the [extended properties](../concepts/query-language.md#extended-properties) on
+This query uses the [extended properties](../concepts/query-language.md#extended-properties-preview) on
 virtual machines to summarize by power states.
 
 ```kusto
diff --git a/articles/governance/resource-graph/tutorials/create-share-query.md b/articles/governance/resource-graph/tutorials/create-share-query.md
@@ -1,8 +1,10 @@
 ---
 title: "Tutorial: Manage queries in the Azure portal"
 description: In this tutorial, you create a Resource Graph Query and share the new query with others in the Azure portal.
-ms.date: 08/17/2021
+ms.date: 06/15/2022
 ms.topic: tutorial
+ms.author: timwarner
+author: timwarner-msft
 ---
 # Tutorial: Create and share an Azure Resource Graph query in the Azure portal
 
@@ -183,7 +185,7 @@ Resources
 ## Run a shared query
 
 A Resource Graph shared query can be run with the `{{shared-query-uri}}` syntax (preview). For more
-information, see [Shared query syntax](../concepts/query-language.md#shared-query-syntax).
+information, see [Shared query syntax](../concepts/query-language.md#shared-query-syntax-preview).
 
 ## Delete a Shared query
 
diff --git a/includes/resource-graph/samples/bycat/azure-virtual-machines.md b/includes/resource-graph/samples/bycat/azure-virtual-machines.md
@@ -616,7 +616,7 @@ Search-AzGraph -Query "Resources | where type =~ 'Microsoft.Compute/virtualMachi
 
 ### Summarize virtual machine by the power states extended property
 
-This query uses the [extended properties](../../../../articles/governance/resource-graph/concepts/query-language.md#extended-properties) on virtual machines to summarize by power states.
+This query uses the [extended properties](../../../../articles/governance/resource-graph/concepts/query-language.md#extended-properties-preview) on virtual machines to summarize by power states.
 
 ```kusto
 Resources
diff --git a/includes/resource-graph/samples/bytable/resources.md b/includes/resource-graph/samples/bytable/resources.md
@@ -454,7 +454,7 @@ Returns the connected cluster ID of each Azure Arc-enabled Kubernetes cluster th
 
 ```kusto
 Resources
-| where type =~ 'Microsoft.Kubernetes/connectedClusters' | extend connectedClusterId = tolower(id) | project connectedClusterId 
+| where type =~ 'Microsoft.Kubernetes/connectedClusters' | extend connectedClusterId = tolower(id) | project connectedClusterId
 | join kind = leftouter
 	(KubernetesConfigurationResources
 	| where type == 'microsoft.kubernetesconfiguration/extensions'
@@ -573,7 +573,7 @@ Resources
 | join kind=leftouter(
 	Resources
 	| where type == 'microsoft.compute/virtualmachines/extensions'
-	| extend 
+	| extend
 		VMId = toupper(substring(id, 0, indexof(id, '/extensions'))),
 		ExtensionName = name
 ) on $left.JoinID == $right.VMId
@@ -825,7 +825,7 @@ Search-AzGraph -Query "ResourceContainers | where isnotempty(tags) | project tag
 
 ### List Arc-enabled servers not running latest released agent version
 
-This query returns all Arc-enabled servers running an outdated version of the Connected Machine agent. Agents with a status of **Expired** are excluded from the results. The query uses _leftouter_ `join` to bring together the Advisor recommendations raised about any Connected Machine agents identified as out of date, and Hybrid Computer machines to filter out any agent that haven't communicated with Azure over a period of time.
+This query returns all Arc-enabled servers running an outdated version of the Connected Machine agent. Agents with a status of **Expired** are excluded from the results. The query uses _leftouter_ `join` to bring together the Advisor recommendations raised about any Connected Machine agents identified as out of date, and Hybrid Computer machines to filter out any agents that haven't communicated with Azure over a period of time.
 
 ```kusto
 AdvisorResources
@@ -992,7 +992,7 @@ Search-AzGraph -Query "Resources | where type in ( 'microsoft.managedidentity/us
 
 ### List machines that are not running and the last compliance status
 
-Provides a list of a machines that aren't powered on with their configuration assignments and the last reported compliance status.
+Provides a list of machines that aren't powered on with their configuration assignments and the last reported compliance status.
 
 ```kusto
 Resources
@@ -1417,7 +1417,7 @@ Search-AzGraph -Query "Resources | where type =~ 'microsoft.network/networksecur
 
 ### Summarize virtual machine by the power states extended property
 
-This query uses the [extended properties](../../../../articles/governance/resource-graph/concepts/query-language.md#extended-properties) on virtual machines to summarize by power states.
+This query uses the [extended properties](../../../../articles/governance/resource-graph/concepts/query-language.md#extended-properties-preview) on virtual machines to summarize by power states.
 
 ```kusto
 Resources
