// Reverse-engineer a live Azure scope (resource group or filtered subscription) into a professional Draw.io architecture diagram. Discovers resources via Azure MCP, infers relationships from resource properties, filters infrastructure-only resources, and generates a diagram following established AzVerify conventions.
Reverse-engineer a live Azure scope (resource group or filtered subscription) into deployment-ready Bicep templates. Discovers resources via Azure MCP, extracts full configurations, generates modular Bicep with parameter files, and documents out-of-scope dependencies that require separate changes.
Compare Bicep templates against a Draw.io Azure architecture diagram to detect resource-level divergence. Reports differences and offers resolution — update Bicep to match the diagram, update the diagram to match Bicep, or selectively resolve per resource.
Check a Bicep template against the Azure Policy assignments in the target Azure environment to determine whether the resources would be compliant before deployment. Uses the checkPolicyRestrictions REST API for fast server-side evaluation, with a legacy CLI fallback. Produces a per-resource compliance report with remediation guidance.
Compare Bicep templates against a live Azure environment by querying Azure directly and parsing the Bicep template. Presents categorized change results (Create, Modify, Delete, No Change) without deploying anything. Does NOT use ARM what-if.
Deep-compare a Draw.io Azure architecture diagram against a live Azure environment — checks both resource existence AND every tracked configuration property (SKU, size, settings, etc.) against expected values. Reports existence drift and property-level drift with severity classification, and offers per-property resolution.
Compare a Draw.io Azure architecture diagram against a live Azure environment to detect drift. Supports quick mode (existence check) and deep mode (full property-level comparison). Reports differences and offers resolution — update the diagram, update Azure, or selectively resolve per resource.
| name | azv-azure-to-diagram |
| description | Reverse-engineer a live Azure scope (resource group or filtered subscription) into a professional Draw.io architecture diagram. Discovers resources via Azure MCP, infers relationships from resource properties, filters infrastructure-only resources, and generates a diagram following established AzVerify conventions. |
| license | MIT |
| metadata | {"author":"AzVerify","version":"1.0","project":"AzVerify"} |
Discover resources in a live Azure scope and generate a Draw.io architecture diagram with proper container hierarchy, verified icons, and inferred relationships.
Input: An Azure scope — a resource group name (primary) or a subscription ID with optional resource type filter. The user can specify the scope or the skill will prompt for it.
Tools required: File system tools (read/write files), Terminal (for running az CLI commands), Azure MCP server tools (mcp_azure_group_resource_list, mcp_azure_compute, mcp_azure_storage, mcp_azure_subscription_list, etc.), Draw.io MCP (mcp_drawio_create_diagram or mcp_draw_io_create_diagram)
This skill frequently handles 20-40+ resources. To avoid hitting the LLM response length limit, follow these rules strictly:
original-request.md file at the end.az resource list with --query to get all resources, rather than per-resource MCP calls where possible.Reference files:
.github/skills/shared/azure-resource-model.md — Shared resource metadata model definition.github/skills/shared/azure-stencil-mapping.json — Azure resource type to Draw.io stencil mapping (includes non-obvious icon paths and naming exceptions).github/skills/shared/azure-resource-configs.md — Per-resource-type configuration schemas with defaultsShared procedures (MUST follow):
.github/skills/shared/procedures/azure-authentication.md — Azure session check procedure.github/skills/shared/procedures/resource-filtering.md — Resource exclusion lists (use "Exclude for Diagrams" column)Follow the procedure in .github/skills/shared/procedures/azure-authentication.md. HARD GATE — stop if not authenticated.
Identify the Azure scope to discover resources from.
If the user specifies a resource group name:
az group show --name <name> — if this fails, report an error and stopIf the user specifies a subscription ID:
If no scope is specified:
Which Azure resource group should I generate a diagram from?
If you want subscription-level discovery, provide a subscription ID instead.
If the user provides a resource type filter (e.g., "only compute and networking resources"):
Microsoft.Compute/*, Microsoft.Network/*)Enumerate all resources in the specified Azure scope.
3a. Resource group scope
Use az resource list --resource-group <rg-name> -o json to enumerate all resources. This single CLI call retrieves all resources with their properties in one batch — prefer this over multiple MCP calls.
Alternatively, use mcp_azure_group_resource_list if the CLI is unavailable.
For each discovered resource, extract:
id — full ARM resource IDname — resource nametype — Azure resource type (e.g., Microsoft.Compute/virtualMachines)location — Azure regiontags — resource tags (used for filtering)Display a single progress line:
Found **N resources** in `<rg-name>` — now filtering and enriching.
3b. Subscription scope
Use Azure MCP tools or az resource list --subscription <sub-id> to discover resources across the subscription. Apply any user-specified resource type filters.
3c. Handle empty results
If no resources are found (or none remain after filtering):
## No Resources Found
No resources were found in `<scope-name>`.
If you expected resources here, verify:
- The resource group name is spelled correctly
- You're connected to the correct subscription (`az account show`)
- Resources have been deployed to this scope
Apply the filtering rules from .github/skills/shared/procedures/resource-filtering.md using the "Exclude for Diagrams" column.
Key difference from Bicep skills: Diagrams exclude monitoring/identity infrastructure (Application Insights, Log Analytics, action groups, user-assigned identities, diagnostic settings). See the "Exclude for Diagrams" column.
If all resources are filtered out, report "No Diagram-Worthy Resources" and stop execution.
Display the filtered resource list (concise):
10 resources: show type summary counts only; save the full list to a temporary resource model file
Write the temporary resource model JSON to the solution folder (create early — see Step 9a). It is an intermediate artifact only and must be deleted before the skill finishes.
If the filtered resource count exceeds 20, warn and offer:
Re-filter if the user selects option 1, then continue.
Use resource-type-specific Azure MCP tools to retrieve detailed properties for relationship inference.
Enrichment targets (by resource type):
| Resource Type | MCP Tool | Properties to Extract |
|---|---|---|
Microsoft.Compute/virtualMachines | mcp_azure_compute | networkProfile.networkInterfaces, storageProfile.osDisk, VM size |
Microsoft.Network/virtualNetworks | Azure MCP | subnets (list of subnet names and address prefixes) |
Microsoft.Network/networkInterfaces | Azure MCP | ipConfigurations[].subnet.id, networkSecurityGroup.id |
Microsoft.Network/privateEndpoints | Azure MCP | privateLinkServiceConnections[].privateLinkServiceId |
Microsoft.Web/sites | Azure MCP | virtualNetworkSubnetId, serverFarmId |
Microsoft.Web/sites (app settings) | az webapp config appsettings list | APPLICATIONINSIGHTS_CONNECTION_STRING, APPINSIGHTS_INSTRUMENTATIONKEY, connection strings referencing other resources (SQL, Cosmos DB, Storage, etc.) |
Microsoft.Web/sites (connection strings) | az webapp config connection-string list | Named connection strings referencing databases, storage, or other resources |
Microsoft.Web/sites (identity) | az webapp identity show | userAssignedIdentities — keys are ARM resource IDs of user-assigned managed identities |
Microsoft.Storage/storageAccounts | mcp_azure_storage | networkRuleSet, privateEndpointConnections |
Microsoft.KeyVault/vaults | Azure MCP | networkAcls, privateEndpointConnections |
Microsoft.ManagedIdentity/userAssignedIdentities | az role assignment list --assignee <principalId> --all | Role assignments — each scope references a target resource |
Enrichment process:
Prefer batch CLI enrichment over per-resource MCP calls to reduce output volume:
az resource list --resource-group <rg> -o json with --query to get all resources with their full properties in one call. Parse the JSON output to extract relationship-relevant properties.az webapp config appsettings list for App Service app settings).Output discipline during enrichment:
Enriched N resources (K via batch query, J via targeted API calls, W warnings).
Graceful fallback: If a resource-type-specific MCP tool fails or is unavailable:
Analyze enriched resource properties to discover relationships. Apply these patterns:
| Pattern | Detection | Relationship | Edge Style |
|---|---|---|---|
| VNet/Subnet containment | VNet has subnets property | Container nesting | — |
| NIC→VM→Subnet | VM networkProfile.networkInterfaces → NIC ipConfigurations[].subnet.id | connects, place VM in subnet | strokeColor=#0078D4 |
| Private Endpoint | PE privateLinkServiceConnections[].privateLinkServiceId references target | secures | strokeColor=#E81123 |
| Diagnostic Settings | Resource targets Log Analytics/Storage | depends | strokeColor=#999999, dashed |
| Key Vault References | Config contains @Microsoft.KeyVault(SecretUri=...) | secures | strokeColor=#E81123 |
| App Service Plan | Web App serverFarmId references ASP | depends | strokeColor=#999999, dashed |
| App Insights | App settings contain APPLICATIONINSIGHTS_CONNECTION_STRING matching AI resource | connects | strokeColor=#0078D4 |
| Connection Strings | App settings contain SQL/Cosmos/Storage/Redis server names matching discovered resources | connects | strokeColor=#0078D4 |
| Named Connection Strings | az webapp config connection-string list entries reference database or storage resources in the same RG | connects | strokeColor=#0078D4 |
| User-Assigned Identity | Web App userAssignedIdentities keys contain ARM ID of a discovered managed identity | secures | strokeColor=#E81123 |
| RBAC Role Assignment | Managed identity has role assignments whose scope matches a discovered resource's ARM ID | secures | strokeColor=#E81123 |
| Co-located Resource Inference | When a Key Vault or Storage Account exists in the same RG as a Web App/Function App and no other consumer is found, infer a connects relationship (apps commonly use co-located KV and Storage even when the link isn't visible in app settings) | connects | strokeColor=#0078D4 |
Co-located resource inference rules:
(inferred) in the relationship output so the user can verifyResources with no relationships are placed directly inside their resource group container.
Output (concise): ≤10 relationships → inline table. >10 → count summary + save to the temporary resource model file:
Inferred **N relationships** (saved to a temporary resource model file). Key: 3 subnet placements, 2 PEs, 4 data connections.
Build the Draw.io diagram XML from the resource model and inferred relationships following the shared conventions in .github/skills/shared/drawio-diagram-conventions.md.
Follow all diagram construction rules: canvas format, stencil mapping lookup, resource shapes and icon paths, container hierarchy (Resource Group → VNet → Subnet), edge rules, VNet Integration special case, and layout patterns (left-to-right flow, 2×2 zone grid, hub-and-spoke, semantic proximity, sizing).
Multi-page diagrams: When the resource group includes networking subnets or monitoring resources, generate additional pages alongside "Architecture Overview":
.github/skills/shared/drawio-diagram-conventions.md section 7e. Use a 3-column × N-row subnet grid grouped by function tier. Place supporting resources (ASPs, Managed Identities, WAF) inside their parent subnets — never in a scattered row at the bottom of the VNet. Add per-subnet route table icons instead of radiating edges from a central icon. Target pageWidth="1800" pageHeight="1600" — the page MUST NOT require horizontal scrolling on a 1920px display.pageWidth="1800" is sufficient.8f. Generate the diagram
Use the Draw.io MCP tool (mcp_drawio_create_diagram or mcp_draw_io_create_diagram) to create the .drawio file with the assembled XML.
Output discipline for diagram generation:
Diagram created with N resource cells and M edges.Create a solution folder containing the generated diagram and metadata.
9a. Create the folder (do this early — at the start of Step 4)
Create the solution folder as soon as the scope is confirmed, so intermediate files (including a temporary resource model JSON file) can be written to it during discovery and enrichment.
MyAppRG → folder my-app-rg/my-app-rg-2/9b. Save the diagram
.drawio file inside the solution folder<folder-name>.drawio9c. Create original-request.md
Document the discovery in original-request.md with: source scope, subscription, discovery date, resource counts, full resource table (Resource, Type, Location), full relationship table (Source, Relationship, Target), and notes pointing to related skills (azv-bicep-diagram-sync, azv-diagram-to-bicep). Full tables go here, not in the chat response.
9d. Clean up intermediate files
Delete all intermediate files from the solution folder before you finish — only final deliverables should remain. This includes the temporary resource model JSON file, resource-list-raw.json, and any extract-*.json files written during discovery. Never leave the resource model JSON in the repository or output folder after the skill completes; its content must be incorporated into original-request.md and the diagram.
9e. Present completion (concise)
Show: folder path, diagram file with resource count, original-request.md, resource/relationship/excluded counts, and next steps pointing to azv-diagram-to-bicep and azv-diagram-azure-sync.