Discovery + Compliance modes
Discovery gives you an inventory snapshot. Compliance compares each resource's configuration against expected baselines, flagging drifts and gaps.
READ-ONLY · BROWSER-ONLY · NO INSTALL
Audit your Azure resources
in five minutes flat.
Paste a Cloud Shell access token, pick a resource group, and get a structured Excel report of every resource, its configuration, and its compliance gaps. No agent, no app registration, nothing written back to Azure.
Read-only — never writes to Azure
Token stays in your browser
Excel export, mid-audit OK
How it works
Five guided steps. No app to install, no service principal to register, no IT ticket required.
- 01
Get your token
Run one Azure Cloud Shell command and paste the output.
~1 min - 02
Pick subscription
We list every subscription your account can read.
~30 sec - 03
Resource group
Type the name — we validate and count what's inside.
~30 sec - 04
Choose resources
Grouped by type. Select one, several, or everything.
~1 min - 05
Audit + export
Live results stream in. Export to Excel any time.
1–3 min
Built for security and platform teams
Two audit modes, an Excel-native report format, and zero attack surface in your tenant.
Excel-native output
Reports drop into Excel with proper styling, frozen headers, and conditional formatting. No CSV-to-spreadsheet wrangling for downstream stakeholders.
Zero tenant footprint
No app registration, no service principal, no agent. Authentication uses your existing Azure identity via a short-lived Cloud Shell token.
The report is the product.
Fully styled workbooks — README, Audit Data, Errors, Summary. Shareable in Teams, attachable to tickets, openable in Excel on day one.
compliance.xlsx · Audit Data
powered by AZCheck · a lensory product
Resource Group
Resource
Type
Setting
Expected
Current
Status
Comments
rg-contoso-web-demo
stcontosowebdemo
Storage/Account
supportsHttpsTrafficOnly
true
true
Pass
rg-contoso-web-demo
stcontosowebdemo
Storage/Account
minimumTlsVersion
TLS1_2
TLS1_2
Pass
rg-contoso-web-demo
stcontosowebdemo
Storage/Account
allowBlobPublicAccess
false
true
Fail
Disable blob public access
rg-contoso-web-demo
kv-contoso-demo
KeyVault/Vault
enableSoftDelete
true
true
Pass
rg-contoso-web-demo
kv-contoso-demo
KeyVault/Vault
enablePurgeProtection
false
N/A
AZCheck v1 · Template v1.0 · 5 of 7 rows
powered by AZCheck · a lensory product
Privacy by design
If your security review asks where the data goes — the honest answer is "nowhere." Here's why.
Token never leaves your browser
Your Azure access token is held in JavaScript memory only — never written to localStorage, never sent to any server other than the official Azure Resource Manager API at management.azure.com.
Read-only by construction
The tool issues only HTTP GET requests against ARM. There are no PUT, POST, PATCH, or DELETE code paths. Your Azure RBAC also enforces this server-side.
No backend, no telemetry
The Excel report is generated client-side using a JavaScript library. Audit results never transit a third-party server. Close the tab and every trace is gone.
Your existing permissions apply
Reader role on the resource group is sufficient. The audit fetches the same configuration data you can already view in the Azure Portal — nothing more, nothing less.
Frequently asked questions
Quick answers to the things security and platform teams usually ask first.
Does this tool write anything to my Azure tenant?
No. Every Azure call uses HTTP GET against the Azure Resource Manager API. The tool has no write code paths. Your existing Azure RBAC permissions also enforce this server-side.
Where is my access token stored?
Your token lives in browser memory for the duration of the tab. It is never persisted to disk, never sent to any server other than Azure itself, and is destroyed the moment you close the tab.
Do I need to register an Azure app or service principal?
No. You authenticate by pasting an access token from Azure Cloud Shell, which uses your existing identity. Nothing needs to be registered, granted, or installed in your tenant.
What permissions do I need?
Reader role on the resource group you want to audit is sufficient. The audit fetches the same configuration data you can already see in the Azure Portal.
How long does an audit take?
Most resource groups complete in 1–3 minutes. Results stream in live as each resource is fetched, and you can export to Excel at any point — even mid-audit.
What's the difference between Discovery and Compliance modes?
Discovery gives you an inventory snapshot — every resource and its current configuration. Compliance additionally compares each property against an expected value baseline and flags drifts, missing tags, and other gaps.
Ready to see what's in your resource group?
Five minutes, no install, no sign-up.
Start audit →