Azure Health Check – A Free Script to Audit and Visualise Cloud Hygiene

Are you running Azure subscriptions and want a quick, human-friendly overview of your governance, compute, storage, network and Key Vault hygiene?
The Azure Health Check PowerShell script gives you exactly that — scanning multiple subscriptions, flagging weak spots, and producing a clean interactive HTML report (with charts!).

Why this matters

Large and growing Azure estates can easily drift into insecure or unsupported configurations: unprotected VMs, public storage blobs, missing resource locks, orphaned disks, exposed network ports — all of which can lead to security, availability or compliance issues.

Yet manually auditing each subscription is time-consuming. That’s where automation helps. With this script, you get a multi-subscription health summary, scored, visualised and exportable — ideal for periodic reviews, customer readiness checks, or even compliance audits.

What the script does

When you run the script, it performs a comprehensive sweep of your Azure subscriptions (state: Enabled / Warned) and reports the following:

  • ✅ Resource groups without management locks — possible accidental deletion or change risk.
  • ✅ Virtual machines missing Azure Backup protection.
  • ✅ VMs using legacy/unmanaged disks (HDD / VHD) — compute hygiene risk.
  • ✅ Unattached disks and unused public IPs — potential untracked costs or attack surface.
  • ✅ Storage accounts with weak or insecure settings: TLS version < 1.2, public blob access, soft-delete or replication misconfiguration.
  • ✅ Network exposure — subnets/NICs without Network Security Groups, or NSG rules that expose SSH/RDP to the internet.
  • ✅ Key Vault security issues — vaults without purge protection and secrets/keys/certs expiring soon (within 60–90 days).

At the end it generates a self-contained HTML report including:

  • Summary cards (subscriptions, resource groups, VMs, storage)
  • An interactive risk-category donut chart (global view)
  • A heat-map by subscription vs risk category (shows which subscriptions are “hotspots”)
  • A top-5 subscriptions by issue count bar chart and table
  • Detailed per-subscription tables (governance, compute, storage, networking, Key Vault)
  • Export-to-CSV buttons for each table for deeper analysis

Module Dependencies (Before you run it)

To run the script, you’ll need the following core Azure PowerShell modules installed:

  • Az.Accounts — for authentication and context switching
  • Az.Resources — for resource groups, subscription and lock enumeration
  • Az.Compute — for VM and disk enumeration
  • Az.Network — for public IPs, virtual networks, NICs and NSGs
  • Az.Storage — for storage account configuration and security checks
  • Az.RecoveryServices — for Azure Backup vaults/items
  • Az.KeyVault — for vaults, secrets/keys/certificates

You can install them all at once by running:

Install-Module Az -Scope CurrentUser -Force

Required Access

To run the script successfully, the account must have (at minimum):

👉 Reader role on the subscriptions being scanned
👉 Backup Reader for Azure Backup visibility
👉 Key Vault Reader to list vault settings & key/secret/cert expiry

Getting Started — Step by Step

Here’s how you use the script:

# 1. Install Az modules (if not already installed)
Install-Module Az -Scope CurrentUser -Force

# 2. Install the script (if not already installed)  
Install-Script -Name Invoke-AzHealthCheck

# 3. Run the script:
Invoke-AzHealthCheck -OpenAfterExport
  • The script will prompt you to log in to Azure (if not already).
  • It will enumerate subscriptions, collect data, compute scores and assemble the HTML report.
  • Once done, it will save the report under C:\TEMP\Health Check script (filename includes tenant ID and timestamp) and — because of -OpenAfterExport — will attempt to open it automatically in your default browser.

You can then:

  • Review the summary cards and charts for a quick high-level overview
  • Drill down per subscription using filters
  • Export any of the detailed tables to CSV (useful for further filtering, reporting or remediation tracking)

When to Run & How to Use

  • Periodic audits — run monthly/ quarterly to catch drift before it becomes a problem
  • Pre-handover reviews — when onboarding/offboarding clients or environments
  • Compliance checkpoints — as a quick “health snapshot” ahead of bigger audits
  • Remediation tracking — export CSVs, track over time, rerun after changes to confirm fix

How it works — At a glance

  1. Authenticate & list all enabled subscriptions
  2. For each subscription: gather resource groups, VMs, disks, storage accounts, public IPs, networking setup, Key Vaults
  3. Analyse data to detect “risks” — e.g. missing backup, legacy disks, insecure storage or open NSG rules
  4. Compute a per-subscription “score” based on configurable weights
  5. Build JSON data for charts (donut, heat map, top-5) + HTML tables
  6. Output a single HTML file with embedded CSS and JS for offline-friendly interactive viewing

Summary

The Azure Health Check script gives you a powerful, automated “bird’s-eye” view of your entire Azure estate — from governance to compute hygiene, storage security, network exposure, and Key Vault safety. With a single run you get a polished, interactive report that’s perfect for stakeholders, audits or cleanup sprints.

If you’re managing multiple subscriptions or want to keep Azure hygiene under control — this is your go-to free health snapshot tool.

Happy auditing — and feel free to fork, adapt or extend!

Unknown's avatar

Author: João Paulo Costa

Microsoft MVP, MCT, MCSA, MCITP, MCTS, MS, Azure Solutions Architect, Azure Administrator, Azure Network Engineer, Azure Fundamentals, Microsoft 365 Enterprise Administrator Expert, Microsft 365 Messaging Administrator, ITIL v3.

2 thoughts on “Azure Health Check – A Free Script to Audit and Visualise Cloud Hygiene”

Leave a reply to João Paulo Costa Cancel reply